Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
On 18/02/16 11:02, Jeremy T. Bouse wrote:
>>> I do agree locking the root password isn't advisable. As I use
>>> >> configuration management/automation to handle my servers I simply set the
>>> >> root password to generated password that only I know the algorithm to
>>> >> reproduce it when I need to,
>> > Can you give more details on the process (at least generally)?
> It's a technique I picked up from a past job... We took several pieces
> of information we'd know about a machine and concatenated it together
> with a delimiter character, then hashed it and cut it to length then
> used that as the password. So it was then encrypted with the appropriate
> password crypt routine for the host. If we needed the root password we
> could regenerate it from the information but rarely needed it outside of
> a DR situation.
That's essentially equivalent to having one root password for all hosts,
assuming all the info about the host is relatively easy to get. It just
means you need to remember the rules instead of the password.
That then means that you don't get to choose which people have root on
which boxes - anyone who gets the rule gets the lot. And that includes
anyone who leaves, of course.
I think a better solution in the end is to generate a random password
for each box, and leave it, on paper, in a safe or similar. It's very
rare anyone needs to use it.
Richard
Reply to: