These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for Should I delete user "root" ? on the new forum.
Web Hosting and Cloud Computing Control Panels
The most important thing is to use a strong password and change it every year or so.
A strong password is longer than 8 characters, contains numbers, and upper/lower letters, and possibly punctuation. A strong password is not based on dictionary words, and generally looks random.
This is a strong password: kGjh4HH+TURy
This is not: joeiscool
We use public_key logins for ssh, and we do have a joeroot and a jamieroot account, but that's just because neither of us can ever remember the regular root password (it's <i>strong</i>!). If it were just my server, I'd set root to my usual strong password, and it wouldn't be a problem to have it memorized. It's when I have to keep up with more than a couple of strong passwords that it becomes a problem, and we have to introduce joeroot. ;-)
--
Check out the forum guidelines!
i have a created a user that only has sufficient rights to create servers (Access to module virtual-servers).
i dont advice to keep any credentials on a windows operated machine. that OS has too many leaks and it's not transparent at all.
1 little virus (and that happens quickly often without you knowing it) and your data is compromised
I also use keys to access my machines as root when I really need too (as per Eric's advice: set PermitRootLogin to "without-password").
Setting your static IP as the only one that can connect to your server (webmin configuration) adds another security layer.
I locked myself out of my admin console a while ago by using the <b>@</b> character in my password - I had to get in via SSH to change it to an alphanumeric password.
After installing Virtualmin GPL, I would always clone the root account to another username something like @w3bM1n@. Then use a password combination as suggested by Joe. Logout, then login as the cloned user then proceed to delete the root account created by Virtualmin install script.
Oh, I should probably make it very clear that when we talk about deleting root, we're talking about the Webmin root user. Not the system root user. You do not want to delete the system root user, ever, under any circumstances. You can set SSH to not allow root logins...but you should always have a system root user.
--
Check out the forum guidelines!
You say you have difficulty remebering your passwords.
Is it bad practice to have windows remeber them for you
and then just auto-fill them ?
Another thing I was thinking of doing is having a spreadsheet
with all my passwords on them.
Obviously I would not call it passwords.xls but something
boring like may-expenses.xls
Is that also a bad idea ?
Finally - your jamieroot, etc
are these in addition to "root" ?
I guess that I add a "master-user" like that
in the Webmin section
<div class='quote'>Is it bad practice to have windows remeber them for you
and then just auto-fill them ?</div>
I'm unfamiliar with this "Windows" of which you speak. (I use Linux on my desktop and laptop.) ;-)
But, I know what you mean. If your PC is reasonably secure, and not used by untrusted users, then it's probably fine. But, keep in mind that when you have any form that has a "Username" and/or "Password" field on it, the browser will fill in your saved details...so, if you're creating a new virtual server, if you aren't paying attention you'll create it with root as the user and with roots password. Virtualmin <i>should</i> prevent you from doing something dumb like that, but we had someone recently report the same symptoms (though I'm not convinced it was the same problem...he disappeared after I asked for clarification of how he got his system into that state). Anyway, the results of that can't possibly be good. So, just be aware of that, if you do save your passwords.
I tend to save passwords on my desktop machine, but not on my laptop or Android phone (since the odds of my lappy or phone falling into the hands of someone I don't trust are dramatically higher than my home PC).
<div class='quote'>Finally - your jamieroot, etc
are these in addition to "root" ?</div>
Yes, though they don't have to be. I don't think anybody even remembers our root password on Virtualmin.com anymore. It's just that strong. ;-)
<div class='quote'>I guess that I add a "master-user" like that
in the Webmin section</div>
Yes, just grant the user full access to all modules. Webmin sort of defaults to being a root-level tool, so creating a root-level user is pretty easy.
--
Check out the forum guidelines!
A couple of additional thoughts on all this --
Some people make it so that root can't log in over SSH -- that instead, you have to log in as another user (where you have to know both the name and password) -- and then su (or sudo) to root.
That's an option in the /etc/ssh/sshd_config file (PermitRootLogin) -- just make sure you verify that you can log in and su to root before disabling root's ability to log in over SSH :-)
You can also set PermitRootLogin to "without-password", which says that you can login remotely as root, but only if you're using an SSH key.
-Eric