Hi Mark, Mark Lumsden wrote on Sat, Jan 22, 2011 at 11:35:20AM +0000:
> afterboot.8 hasn't been changed to reflect the fact that a user can > be created during installation and you have no other option but to > login as root on first boot. You have a point, but the text seems easier to follow when rearranging it a bit. 1) I think the paragraph "Login" starts with the imperative "Log in..." on purpose, so leave that in place. Indeed, after installing a system, logging in is about the first thing you should do. 2) Which user account to use for the login is closely related to that sentence, so put it next. Then, integrate the reference to the installation into the existing sentence "This process is described in more detail later." 3) The sentence about remote root logins is easier to understand after having discouraged root login in general, so put it last. Besides, now that we don't suggest root login any longer, change the prompt from # to $ for non-privileged commands, and show how to run passwd(1) using sudo(8). I'm not sure the suggestion to type out the sudo and passwd paths makes much sense. Does anybody really do that in practice? It would be very tedious, it only helps in cases where your system is already compromised in about the worst way imaginable, and it doesn't even help to detect the compromise or prevent all of its consequences. But removing that advice would be a different matter. Yours, Ingo Index: afterboot.8 =================================================================== RCS file: /cvs/src/share/man/man8/afterboot.8,v retrieving revision 1.130 diff -u -r1.130 afterboot.8 --- afterboot.8 21 Jan 2011 12:20:04 -0000 1.130 +++ afterboot.8 22 Jan 2011 12:32:52 -0000 @@ -47,7 +47,7 @@ .Ux is assumed, otherwise type: .Pp -.Dl # help +.Dl $ help .Pp Complete instructions for correcting and fixing items is not provided. There are manual pages and other methodologies available for doing that. @@ -55,7 +55,7 @@ .Xr ls 1 command, type: .Pp -.Dl # man 1 ls +.Dl $ man 1 ls .Pp Administrators will rapidly become more familiar with .Ox @@ -67,19 +67,8 @@ .Pa http://www.openbsd.org/errata.html . It is recommended that you check this page regularly. .Ss Login -Log in as -.Dq root . -You can do so on the console, or over the network using +Log in on the console, or over the network using .Xr ssh 1 . -If you wish to deny root logins over the network, edit the -.Pa /etc/ssh/sshd_config -file and set -.Cm PermitRootLogin -to -.Dq no -(see -.Xr sshd_config 5 ) . -.Pp For security reasons, it is bad practice to log in as root during regular use and maintenance of the system. Instead, administrators are encouraged to add a @@ -91,7 +80,19 @@ and .Xr sudo 8 commands when root privileges are required. -This process is described in more detail later. +If you did not use the option to set up a regular user account during +the installation, see the paragraph +.Sx Add new users +below for details. +.Pp +If you wish to deny root logins over the network, edit the +.Pa /etc/ssh/sshd_config +file and set +.Cm PermitRootLogin +to +.Dq no +(see +.Xr sshd_config 5 ) . .Ss Root password Change the password for the root user. (Note that throughout the documentation, the term @@ -102,7 +103,9 @@ Do not choose any word in any language. It is common for an intruder to use dictionary attacks. Type the command -.Ic /usr/bin/passwd +.Pp +.Dl $ /usr/bin/sudo /usr/bin/passwd root +.Pp to change it. .Pp It is a good idea to always specify the full path name for the
