on Mon, May 28, 2001 at 09:18:17PM +1000, Brian May (bam@debian.org) wrote: > >>>>> "Alvin" == Alvin Oga <aoga@Mail.Linux-Consulting.com> writes: > > >> On my own boxen, root passwords were changed from defaults, and > >> root ssh denied. I actually stood down my system administrator > >> telling him he had no need for a root password on the box -- he > >> could administer the box locally if need be, I didn't trust his > >> security management (passwords were kept in an Excel > >> spreadsheet -- he didn't last long). > > Alvin> humm...smart... why bother have a "secret passwd" if ya > Alvin> gonna write it down... oh well... > > If you administrate XYZ different computer systems, and each computer > has a different root password, it can become very difficult to > remember all these passwords (especially if you don't regularly use > that particular system). This is why God invented ssh RSA key authentication. One passphrase (mine runs better than 25 characters) hits all systems. For one bastion system I accessed, I didn't *know* my user password, having first changed it to some arbitrary 12 character string. pwgen is fun. I've also checked to see that it generates a wide range of generally distinct passwords, and it appears it does (posted recently to bugtraq). > So you either run the risk of forgetting a vital password at a vital > time, or you write them down somewhere in a safe place. I also use my palm pilot and Cryptinfo. Other options include one-time password generators available as credit cards or key fobs. > ...ssh RSA/DSA authentication might be the best solution (assuming you > *allow* remote root logins), No. You allow remote unprivileged user logins, and sudo root for specific commands. > but only if you always log on from the same trusted computer every > time. Not good, for instance, if you accidently break network access > to a central server, but can't remember the password to login locally > to the console. ...in which case you log in as a local user and grab the password from your secured palm pilot or similar. > (Just a thought: perhaps a better solution would be to store these > passwords on a computer file, but GPG encrypt them?) Several such utilities exist for GNU/Linux, though I haven't used any myself. Potential problems exist on any shared-memory system. At least a palm pilot is relatively isolated, though this assumption may change. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What part of "Gestalt" don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org Disclaimer: http://www.goldmark.org/jeff/stupid-disclaimers/
Attachment:
pgpkOzoPFWcxs.pgp
Description: PGP signature