bsus said:
My question is now should I create a extra admin account with membership in wheel which can manage the server over ssh privatekey and sudo.
If you use
ssh(1), be sure to disable root logins by putting
in your
/etc/ssh/sshd_config file.
Next, you can
either use the wheel group (explained below) or
security/sudo (see below too). There's nothing to prevent you from using both, but in my opinion that kinda defeats the purpose.
Using the wheel group:
Create a normal user account. I recommend using something less obvious than, say, "admin" or "administrator". Here I will use the name "yoda" as an example. Do
not set yoda's primary login group to wheel. Instead, make him a member of his own group (default adduser behavior) or set his primary login group to something that already exists, such as "users" or something. Then just add yoda to the wheel group seperately. This allows yoda to login via ssh as a mortal user and then
su(1) to root.
Using sudo:
You can specify who is allowed to do what in the file
/usr/local/etc/sudoers. Consult the corresponding manpage for exact details, or ask a followup question here. Be careful about what you allow, though. Some programs (text editors come to mind) allow shell escapes, meaning that you may think you're only allowing somebody to edit a file but in the process you're actually allowing them to do pretty much anything!
bsus said:
or should I make a group "admin" in the group "wheel" where my usual user in memberoff?
As far as I know, you can't have groups within groups (although it can to some extent be emulated with NIS netgroups).
Hope this helps,
Fonz
