Re: Write root password on the front of the box

["Marsh J. Ray" <marsh-obsd_(_at_)_mysteray_(_dot_)_com>]

STeve Andre' wrote:

>  Well, I wouldn't do that for hundreds of machines. But for a lot of
>  people, including technical folk, they can't remember large numbers
>  of pw's, which presents an interesting problem. If one takes the
>  approach of having one pw, it should be changed with some frequency.
>
>  I agree that an entity is in big trouble if someone gets a root type
>  of password, but I'll bet most organizations are safer off overall
>  with one complex password than a mishmash of other simpler pw's where
>  some of them are taped to machines, etc.

My strategy is to have a single "best-secure" workstation (no incoming 
connections of any sort, and only outgoing ssh, maybe allow DNS), and 
all server machines allow ssh connections from public key 
authentication. I just think it's best to minimize the frequency of 
typing passwords in general.

One could give every admin a single workstation, login, and keypair 
encrypted with a passphrase only they (should) know. The root password 
could be locked in a vault, or as I advocate, taped to the front of the 
physical machine. Shoot, just write it on a rescue/boot floppy sitting 
halfway in the drive.

I'm sorry if this thread has carried on long enough. I'll stop now.

- Marsh