[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Write root password on the front of the box

STeve Andre' wrote:

 Well, I wouldn't do that for hundreds of machines. But for a lot of
 people, including technical folk, they can't remember large numbers
 of pw's, which presents an interesting problem. If one takes the
 approach of having one pw, it should be changed with some frequency.

 I agree that an entity is in big trouble if someone gets a root type
 of password, but I'll bet most organizations are safer off overall
 with one complex password than a mishmash of other simpler pw's where
 some of them are taped to machines, etc.

My strategy is to have a single "best-secure" workstation (no incoming connections of any sort, and only outgoing ssh, maybe allow DNS), and all server machines allow ssh connections from public key authentication. I just think it's best to minimize the frequency of typing passwords in general.

One could give every admin a single workstation, login, and keypair encrypted with a passphrase only they (should) know. The root password could be locked in a vault, or as I advocate, taped to the front of the physical machine. Shoot, just write it on a rescue/boot floppy sitting halfway in the drive.

I'm sorry if this thread has carried on long enough. I'll stop now.

- Marsh

Visit your host, monkey.org