Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

To: debian-user@lists.debian.org
Subject: Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
From: Richard Hector <richard@walnut.gen.nz>
Date: Fri, 19 Feb 2016 11:16:59 +1300
Message-id: <[🔎] 56C642DB.5080202@walnut.gen.nz>
In-reply-to: <[🔎] CAFR=TBopgn04qJ8Fsp37ZeeazF5Th-dVTFmKq3rb_wvhUDweeg@mail.gmail.com>
References: <[🔎] CAFMGiz9e10ugawRLti+SGjfZu4XHHXZKkG=n0mcR6XniPRvp5Q@mail.gmail.com> <[🔎] 56C4826B.2080108@ludikovsky.name> <[🔎] CAFMGiz9UnLLgsrQnq7rsE4+wCDp1kD9H2HjEiVuP-Qpn5U4Jqg@mail.gmail.com> <[🔎] 56C49124.6070906@ludikovsky.name> <[🔎] 56C492D2.6090302@undergrid.net> <[🔎] CAFMGiz9ci5GR-o=vzVkPExx-iTTr1b99wsOFzpdDUP5Ub9SCbA@mail.gmail.com> <[🔎] 56C4EDFA.4030901@undergrid.net> <[🔎] 56C629DC.9070903@walnut.gen.nz> <[🔎] CAFR=TBopgn04qJ8Fsp37ZeeazF5Th-dVTFmKq3rb_wvhUDweeg@mail.gmail.com>

[Please don't cc me; I'm on the list]

On 19/02/16 11:05, Roman wrote:
> 2016-02-18 22:30 GMT+02:00 Richard Hector <richard@walnut.gen.nz
> <mailto:richard@walnut.gen.nz>>:
> 
> 
> 
>     I think a better solution in the end is to generate a random password
>     for each box, and leave it, on paper, in a safe or similar. It's very
>     rare anyone needs to use it.
> 
> 
> Here is a hint (joke), how to secure root password for servers that are
> physically accessible.
> Just generate a random password during install long enough to be not
> able to remember it. Do not write it down, continue installation.

That's just a marginally less secure version of locking it :-)

> At any given time you need the root session, just get the disk drive
> from your server and connect it to another machine, then just replace
> the hash to one you know password for in /etc/shadow. Place your drive
> back and boot up. After you finish the work, change your root password
> again to some crazy piece of random.
> 

... or just boot from usb/cd/floppy/tape/whatever :-)

Richard

Reply to:

References:
- Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: Tom Browder <tom.browder@gmail.com>
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: Peter Ludikovsky <peter@ludikovsky.name>
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: Tom Browder <tom.browder@gmail.com>
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: Peter Ludikovsky <peter@ludikovsky.name>
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: "Jeremy T. Bouse" <jeremy.bouse@undergrid.net>
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: Tom Browder <tom.browder@gmail.com>
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: "Jeremy T. Bouse" <jeremy.bouse@undergrid.net>
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: Richard Hector <richard@walnut.gen.nz>
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: Roman <romeo.r@gmail.com>

Prev by Date: Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
Next by Date: Re: connect Ethernet to WiFi?
Previous by thread: Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
Next by thread: Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
Index(es):
- Date
- Thread