[Gllug] Why have root passwords at all?
Bruce Richardson
itsbruce at uklinux.net
Sun Mar 12 15:35:43 UTC 2006
On Sun, Mar 12, 2006 at 12:09:44AM +0000, Tethys wrote:
>
> Bruce Richardson writes:
>
> >If you manage large networks, root passwords are a pain. You have to
> >change them all every time somebody leaves your team or whenever you
> >think a box in the same environment (or group of boxes with the same
> >root password) has been compromised.
>
> You only need to change the root password if your sysadmin team has
> the root password in the first place.
How do you know that they do not have it? It would be very difficult to
allow them to administer your network and yet prevent them from having
any opportunity to take a copy of the password files. Once they have
that, all they need is a password cracker and some time.
This is why I propose effectively throwing away the root password, so
that nobody has to know it. Or, to be more precise, so that it doesn't
matter whether anybody knows it or not. As far as I can see, there are
only two scenarios where this could be a problem:
1. Everybody forgets their own password.
In this scenario, every administrator with an account on a specific box
has forgotten their password on that machine. Or the entire sysadmin
team has died from bird flu. That kind of thing. Since we know no root
password, or anybody else's password, we cannot get root access. We do
not want to reboot the box because it is running vital services that
must stay up. What do we do?
One answer: cfengine, or something similar. If you are using something
like cfengine to manage your network, you can use it to change a
password remotely. Of course, if the sysadmins all died of bird flu
then you probably do not have access to the master cfengine server ;)
Another answer: you should never have vital services that rely only on
one machine. If you have services that absolutely always have to be up
then they have to be able to survive the loss of any one box anyway. If
you have achieved that resilient a network then you can reclaim your
network by simply rebooting one box at a time (and gaining access via
the trusty old "init=/bin/sh" route).
2. Misbehaving or damaged system.
A box is sufficiently non-functional that you need to be able to login
directly as root to debug it. Maybe the /usr partition is damaged, so
that sudo is unavailable.
This is more difficult. On the one hand, I could repeat the argument
above that nothing should be so irreplaceable that you can't reboot it
and investigate. On the other hand, you lose valuable debugging
information and opportunities that way. Needs some thought.
--
Bruce
I must admit that the existence of Disneyland (which I know is real)
proves that we are not living in Judea in AD 50. -- Philip K. Dick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20060312/25c1c902/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list