You shouldn't be using something as weak as passwords for logging in remotely as root anyway. Key-based authentication is much better *and* more convenient.
Yes, if your workstation is compromised and the compromiser knows your key passphrase, you are in trouble. But I argue it's still more secure than a different password for each server (which they could of course still have their own passwords, for local logins). If you're that paranoid, change your key passphrase every week and only keep the private key on removable media that is strapped to your wrist. Aaron Toponce wrote: > Jessie Morris wrote: >> haha. Very funny. Sorry, I've been working and I've been really busy, so I >> didn't have much time to reply. Thank you for this response, but just to >> clarify, can I use this to log into a linux system. For example, could I >> change the root password on the central server and that trickles down to >> each >> of the clients. > > It doesn't "trickle down to each of the clients" like DNS propagates > from server to server. The account is stored on the remote server, > rather than locally on the client machine. So when the user logs in, > they are authenticating against the remote server, rather than > authenticating against the local client. > > However, don't store the client root account on the LDAP server. Root > accounts should be kept locally through /etc/passwd and /etc/shadow. > Also, you'll be tempted to keep the root password the same on all local > machines. I'd recommend not doing it, and keeping a centralized > encrypted database with KeePass, or something similar. If you keep all > the root passwords the same on all machines, and someone gets it, they > could compromise all your boxen. Sucks for convenience to have all the > root passwords different, rocks for security. > > > > ------------------------------------------------------------------------ > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ -- Hans Fugal ; http://hans.fugal.net There's nothing remarkable about it. All one has to do is hit the right keys at the right time and the instrument plays itself. -- Johann Sebastian Bach /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
