[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OpenBSD alternative for Bruce Schneier's "password safe"
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: OpenBSD alternative for Bruce Schneier's "password safe"
- From: Ingo Schwarze <schwarze_(_at_)_usta_(_dot_)_de>
- Date: Sun, 7 May 2006 11:16:30 +0200
Siju George wrote on Sat, May 06, 2006 at 09:31:39AM +0530:
> On 5/6/06, Bob Beck <beck_(_at_)_bofh_(_dot_)_cns_(_dot_)_ualberta_(_dot_)_ca> wrote:
>> somebody asked:
>>> How do you people store passwords in OpenBSD if you have so many of
>>> them and would need to copy one of them to a password prompt while
>>> others are aroud you watching your screen?
>> (ahem) I simply wouldn't do this. it's stupid.
>> This would fall under the category of
>> DON'T WRITE YOUR PASSWORD DOWN ANYWHERE!
> Just taking a rough Estimate I need to remember about 70 passwords
This kind of setup does not seem very convincing to me in the first
place... When running large numbers of servers, wouldn't it be a
better policy to
1) have each server admin generate one RSA key with a strong personal
passphrase on one properly configured and closely controlled central
2) have admins login to the various other servers using this key
only and from this central server only, disabling password access
for admin accounts even when allowing password access for user
3) grant admin users sudo access as required on each individual host.
In case you are serving 70 different clients, you could do essentially
the same thing, except that you would use one of your personal
machines having permanent internet access in place of the login
server mentioned in 1).
PermitRootLogin no in sshd_config(5) goes without saying anyway,