[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenBSD alternative for Bruce Schneier's "password safe"



Siju George wrote on Sat, May 06, 2006 at 09:31:39AM +0530:
> On 5/6/06, Bob Beck <beck_(_at_)_bofh_(_dot_)_cns_(_dot_)_ualberta_(_dot_)_ca> wrote:
>> somebody asked:

>>> How do you people store passwords in OpenBSD if you have so many of
>>> them and would need to copy one of them to a password prompt while
>>> others are aroud you watching your screen?

>> (ahem) I simply wouldn't do this. it's stupid.
[....]
>> This would fall under the category of
>> DON'T WRITE YOUR PASSWORD DOWN ANYWHERE!

> Just taking a rough Estimate I need to remember about 70 passwords
[...]

This kind of setup does not seem very convincing to me in the first
place...  When running large numbers of servers, wouldn't it be a
better policy to

 1) have each server admin generate one RSA key with a strong personal
    passphrase on one properly configured and closely controlled central
    login server;

 2) have admins login to the various other servers using this key
    only and from this central server only, disabling password access
    for admin accounts even when allowing password access for user
    accounts;

 3) grant admin users sudo access as required on each individual host.

In case you are serving 70 different clients, you could do essentially
the same thing, except that you would use one of your personal
machines having permanent internet access in place of the login
server mentioned in 1).

PermitRootLogin no in sshd_config(5) goes without saying anyway,
doesn't it?