hi brian

yes ...

if one is forced, by ones forgetfullyness or really good
passwds... i'd write it down and ENCRYPT that file...
the assumption is you never forget the passwd or the pass phrase
on the ONE machine... and keep a copy of it on another machine
so that if you lose the disk/file...you have it store elsewhere
in encrypted form...

problem now is... if they get your pass phrase ....
they have root passwds to all your servers.... really really bad....
and its sorta obvious that encrypted files are important files 

and i disallow root ssh logins...  and i dont allow ssh connections
without entering a passwd ... ( there other ways to get the same
effect for scripts .... and there better NOT be any passwd in the 
scripts either... audit those scripts that your users did ...

even if you forget root passwd ...you can always hit ctrl-alt-del and
boot into single user mode... though thats another issue of
where to allow it or not...and whether single user should be pwd 
protected or not...  endless precautions... 

c ya
alvin

On 28 May 2001, Brian May wrote:

> >>>>> "Alvin" == Alvin Oga <[EMAIL PROTECTED]> writes:
> 
>     >> On my own boxen, root passwords were changed from defaults, and
>     >> root ssh denied.  I actually stood down my system administrator
>     >> telling him he had no need for a root password on the box -- he
>     >> could administer the box locally if need be, I didn't trust his
>     >> security management (passwords were kept in an Excel
>     >> spreadsheet -- he didn't last long).
> 
>     Alvin> humm...smart... why bother have a "secret passwd" if ya
>     Alvin> gonna write it down... oh well...
> 
> If you administrate XYZ different computer systems, and each computer
> has a different root password, it can become very difficult to
> remember all these passwords (especially if you don't regularly use
> that particular system). So you either run the risk of forgetting a
> vital password at a vital time, or you write them down somewhere in a
> safe place.
> 
> ...admittedly, I would refrain from writing all my passwords down in
> the same place. If somebody did manage to get the list, he/she would
> have access to everything, not just one or two systems!
> 
> ...also, not sure I would trust Excel, but that is another topic ;-)
> 
> ...ssh RSA/DSA authentication might be the best solution (assuming you
> *allow* remote root logins), but only if you always log on from the
> same trusted computer every time. Not good, for instance, if you
> accidently break network access to a central server, but can't
> remember the password to login locally to the console.
> 
> (Just a thought: perhaps a better solution would be to store these
> passwords on a computer file, but GPG encrypt them?)

Reply via email to