Re: root via ssh / why su - ?

[Brian May <bam@debian.org>]

>>>>> "Alvin" == Alvin Oga <aoga@Mail.Linux-Consulting.com> writes:

    >> On my own boxen, root passwords were changed from defaults, and
    >> root ssh denied.  I actually stood down my system administrator
    >> telling him he had no need for a root password on the box -- he
    >> could administer the box locally if need be, I didn't trust his
    >> security management (passwords were kept in an Excel
    >> spreadsheet -- he didn't last long).

    Alvin> humm...smart... why bother have a "secret passwd" if ya
    Alvin> gonna write it down... oh well...

If you administrate XYZ different computer systems, and each computer
has a different root password, it can become very difficult to
remember all these passwords (especially if you don't regularly use
that particular system). So you either run the risk of forgetting a
vital password at a vital time, or you write them down somewhere in a
safe place.

...admittedly, I would refrain from writing all my passwords down in
the same place. If somebody did manage to get the list, he/she would
have access to everything, not just one or two systems!

...also, not sure I would trust Excel, but that is another topic ;-)

...ssh RSA/DSA authentication might be the best solution (assuming you
*allow* remote root logins), but only if you always log on from the
same trusted computer every time. Not good, for instance, if you
accidently break network access to a central server, but can't
remember the password to login locally to the console.

(Just a thought: perhaps a better solution would be to store these
passwords on a computer file, but GPG encrypt them?)
-- 
Brian May <bam@debian.org>