Ah - not so much a particular use case scenario as much as it is a goal to make more difficult to create local admins or other accounts.
With the constant flow of security exploits on a daily basis, I would theorize that limiting root to console only and further disabling new user creation from any other accounts, this could inhibit hackers from possibly combining exploits and lateraling.
well, usually DietPi is designed to work completely headless. Therefore root access via SSH is allowed by default (not every user is capable to have a monitor or keyboard attached). If needed you can disable root login via SSH already. There are different ways to archive this, depending on your SSH server.
Next to that, you have non-root user dietpi who can manage everything using sudo command.
Basically everything is already there.
As well there are other methods to protect your system and to restrict access to local network or specific computer.
ensure your router is not forwarding unnecessary ports and disable UPnP
Use a different port (not 22) on SSH server
don’t allow password access, use keys only
use TCP wrapper to allow specific hosts only
use iptables or ufw to restrict access on SSH server port
use fail2ban to detect failed login attempts and to block access if needed
Thank you so much Joulinar! Excellent food for thought! I am using DietPi not only to learn more about Linux but also expand into Linux security (which I even know less about).
I plan to use this thread as a placeholder for other folks who might be interested in the same.
Thanks so much again to you and the entire DietPi team!!!