Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

To: debian-user@lists.debian.org
Subject: Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
From: Jonathan Dowland <jmtd@debian.org>
Date: Mon, 22 Feb 2016 14:22:27 +0000
Message-id: <[🔎] 20160222142227.GD32665@chew.redmars.org>
In-reply-to: <[🔎] 56C629DC.9070903@walnut.gen.nz>
References: <[🔎] CAFMGiz9e10ugawRLti+SGjfZu4XHHXZKkG=n0mcR6XniPRvp5Q@mail.gmail.com> <[🔎] 56C4826B.2080108@ludikovsky.name> <[🔎] CAFMGiz9UnLLgsrQnq7rsE4+wCDp1kD9H2HjEiVuP-Qpn5U4Jqg@mail.gmail.com> <[🔎] 56C49124.6070906@ludikovsky.name> <[🔎] 56C492D2.6090302@undergrid.net> <[🔎] CAFMGiz9ci5GR-o=vzVkPExx-iTTr1b99wsOFzpdDUP5Ub9SCbA@mail.gmail.com> <[🔎] 56C4EDFA.4030901@undergrid.net> <[🔎] 56C629DC.9070903@walnut.gen.nz>

On Fri, Feb 19, 2016 at 09:30:20AM +1300, Richard Hector wrote:
> That then means that you don't get to choose which people have root on
> which boxes - anyone who gets the rule gets the lot. And that includes
> anyone who leaves, of course.

Yes, but a leaked root password for one host does not translate into a leaked
root password for other hosts, so there are some advantages. If the routine
additionally concatenates a fixed password string, you can rotate that when
staff leave and regenerate/reset all the passwords.

> I think a better solution in the end is to generate a random password
> for each box, and leave it, on paper, in a safe or similar. It's very
> rare anyone needs to use it.

In my past jobs we've always ended up doing something like that in the end,
never getting an algorithmic solution like the above off the ground, but it
does sound attractive to me.

-- 
Jonathan Dowland
Please do not CC me, I am subscribed to the list.

Reply to:

References:
- Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: Tom Browder <tom.browder@gmail.com>
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: Peter Ludikovsky <peter@ludikovsky.name>
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: Tom Browder <tom.browder@gmail.com>
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: Peter Ludikovsky <peter@ludikovsky.name>
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: "Jeremy T. Bouse" <jeremy.bouse@undergrid.net>
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: Tom Browder <tom.browder@gmail.com>
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: "Jeremy T. Bouse" <jeremy.bouse@undergrid.net>
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: Richard Hector <richard@walnut.gen.nz>

Prev by Date: Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
Next by Date: Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
Previous by thread: Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
Next by thread: Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
Index(es):
- Date
- Thread