[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Write root password on the front of the box
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: Write root password on the front of the box
- From: "Marsh J. Ray" <marsh-obsd_(_at_)_mysteray_(_dot_)_com>
- Date: Wed, 26 May 2004 15:39:43 -0400
STeve Andre' wrote:
Well, I wouldn't do that for hundreds of machines. But for a lot of
people, including technical folk, they can't remember large numbers
of pw's, which presents an interesting problem. If one takes the
approach of having one pw, it should be changed with some frequency.
I agree that an entity is in big trouble if someone gets a root type
of password, but I'll bet most organizations are safer off overall
with one complex password than a mishmash of other simpler pw's where
some of them are taped to machines, etc.
My strategy is to have a single "best-secure" workstation (no incoming
connections of any sort, and only outgoing ssh, maybe allow DNS), and
all server machines allow ssh connections from public key
authentication. I just think it's best to minimize the frequency of
typing passwords in general.
One could give every admin a single workstation, login, and keypair
encrypted with a passphrase only they (should) know. The root password
could be locked in a vault, or as I advocate, taped to the front of the
physical machine. Shoot, just write it on a rescue/boot floppy sitting
halfway in the drive.
I'm sorry if this thread has carried on long enough. I'll stop now.