Brian LaMere wrote:
What do you do, then, when a server in germany fails (and you're in
San Diego), and through your remote console access you see the ctrl-D
login? The one that only accepts the root passwd? We don't use root
I reboot with init=/bin/sh bypassing that script. Ubuntu also locks the
root account by default. They have a special grub boot option which
probably does something similar to what I do.
system for hours if it comes up in single-user mode, and even in
single-user mode it must ask for a password. We don't have physical
access to any of these systems, but we do have console access via
com1.
I wouldn't exactly say it "must" ask for a password. Anyone with console
access to the system inherently has easy root access whether your init
scripts ask for a password or not. I don't quite get why it bothers
asking at all.
So you'd leave the same root password forever? DoD won't allow it
anyway, so moot point.
Same root password forever? In the cases where I have to have one, yeah.
I change it whenever I let someone go or otherwise end a relationship
(consulting/partnership etc) where someone else knew it. Make it long
and random and write it down and forget about it. I like to use this
service for generating passwords:
https://secure.msdservices.com/apg/
or a local python script which does the same thing. The DoD password
rules are far from optimal. It's unfortunate that you have to spend so
much time on this because of them.
Which is what we currently do; write ~150 root passwords on bits of
paper, 1 password per envelope, seal the envelopes, if an envelope
gets opened the password has to be changed, the password also has to
be changed every 6 weeks, and those ~150 envelopes live inside a
fireproof safe. Half the time I can't read the damn things, but I
guess people could print out the text to get around that. It also
takes a day and a half, every 30 days (28 days, really, because you
don't want them to expire...) to change. It's messy, and silly IMO.
It's also bad security IMO.
Interesting system. Perhaps you could automate the changing of the
passwords using an expect script (we did this at MP3.com) and then have
the script which generates and sets the passwords dump all of the
passwords to a text file to be used next time it has to login and change
passwords. You could host the whole thing on a USB key so the passwords
get written out to the USB key and then keep the USB key in a safe. You
could have the script print out a page with each hostname/password on it
as it changed them to be stuffed in envelopes etc.
Anyone know of a password repository for linux that is any good? Sans
assumptions about what my environment is like? ; )
I am mostly having this discussion for the benefit of less experienced
admins. :) However it is also common that people post saying "I need to
know how to do this" when upon further examination they didn't really
need to be doing that at all. For anyone outside of a DoD environment
this kind of password policy is totally counter-productive to what you
are likely trying to do so don't think that because this is how the DoD
does it it is actually a good idea for home or business. :)
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
