Bob Beck wrote:
...
IMNSHO, a root password for single user makes the system *LESS*
secure, and I'm dead serious. I would object to any attempt to commit
changes to OpenBSD to have one by default. Why? Real simple: *because
you asked this question*. - Now I'm not just crapping on you, every
new sysadmin I know asks this. The point is, if OpenBSD put a root
password on single user, you might be tempted to think that somehow,
someway, a not-physically secured machine was secure, and be tempted
to deploy it that way. And don't laugh, I've seen the assumption made
(I work at a university). My point is that putting "security" measures
in place that do not do anything because of equivalent access make
people believe that they *do* do something, and therefore people make
incorrect assumptions and do things insecurely.
"Physical access is everything highness. Anyone who says differently
is selling something."
-Bob
Here's another example:
My boss feels that it is important that he have a list of administrative
passwords to all servers in our company.
Now, call me no fun, but the idea of a password for the perimeter
security firewalls sitting in an Excel spreadsheet on a laptop he
selected because it was small and expensive and he likes to carry around
to impress people scares the hell out of me..and thus, the PWs are not
there.
Now, he's got a point...yes, we have multiple administrators, but we are
friends outside of work, so we are not infrequently in the same place at
the same time, so the possibility of us both being killed in the same
Celtic Music Riot or explosion of the same Mongolian Grill can't be
discounted. If something happens to both of us, someone will need to be
able to get into those systems. So...I just wrote up and showed him
(and had him try) the "lost my PW" process in the FAQ, and had him force
the root PW. And he was satisfied (other than the look on his face that
seemed to be slightly pissed that I was denying him something he wanted,
even though he knows I satisfied the goal of the demand he made).
NOW...if we had something that had some kind of master password that was
required even with physical access, we'd probably have to have either
created an unused account for him (bad idea) or recorded a master
password on his magic Excel spreadsheet (another bad idea). I don't
think that would have improved security one bit.
Sometimes, you got to make it easy to get in in a controlled way to make
it harder for the wrong people to get in in a less controlled way.
Nick.
