1. Swiss cheese slices: make them holes too tight.
2. When you run everything as root, if you fuck your shit, your shit’s fucked.

“Best practices” tend to come from other people’s whoopsies. But it’s always good to question things, too.

Yes it’s always better to login with a user and sudo so your commands are logged also having disable passwords for ssh but still using passwords for sudo gives you the best protection

That server’s root access is now vulnerable to a compromise of the systems that have the private key.

A door with the best lock possible is still not as secure as no door at all

It’s another slice of Swiss cheese. If the user has a strong enough password or other authentication method through PAM, it might stop or hinder an attacker who might only have a compromised private key, for example. If multiple users have access to the same server and one of them is compromised, the account can be disabled without completely crippling the system.

Using sudo can also help you avoid mistakes (like accidentally rebooting a production server) by restricting which commands are available to the user.

It’s just another way of minimizing your attack surface. It’s pretty much the same as hiding behind a barrier when being shot at, you stick yourself out as little as possible.

In the same way it also helps to change your SSH port to somewhere in the high numbers like 38265. This is anecdotal of course, but the amount of attacks on SSH went down by literally 99% by just changing the port like that

Then you accept only keys, you lock down root (so the username must be guessed as well) and yeah, you’re safe.

It’s a bad practice to log in as root even for administrative tasks. You need to run numerous commands, some of hem can be potentially dangerous while not requiring root privileges. So normally you have an admin user in the sudo/wheel group and need to login to this account. Also, this adds some protection in case your key has leaked.

Audit trails

I never login with the root account. Not even on the console. You don’t want everything you do running as root unless it is required. Otherwise it is much easier for a little mistake to become a big mess.

It’s rarely a good idea to log in as root, doubly so if it’s a system with sensitive data or services that could easily be disrupted accidentally. And even more important if multiple users log in. How will you know who broke things to teach them if they don’t log in first. The only time I log in to any system as root other than a test system is when I need to sftp to access files or some other system that doesn’t have a way to elevate permissions.

The multi-tennant approach to the linux operating system isn’t just for security. It’s the way the OS was designed to operate. You’re not meant to use root as an ordinary user.

Disabling root removes the safety net, but it also plugs the security hole that leaving root enabled leaves.

deleted by creator

Well, with root enabled, the SSH server at least need to verify the key, no? It’s wasting CPU power albeit tiny amount.

Is there any point of logging in with a different account?

When you edit & save a file as root, root takes ownership of that file. I personally don’t like having to run chmod or chown every time I make minor changes to something.

Lots of self-important, irrational, hand-wavy responses to this question as usual.

Assuming you are the only user (sounds like it) and you secure your client device properly, then no, there is no reason not to do what you propose. Go ahead and do it, you’ll save yourself lots of redundant typing and clicking.

Others here can keep performing their security theater to ward off the evil spirits.