[Gllug] Why have root passwords at all?

Daniel P. Berrange dan at berrange.com
Sat Mar 11 16:10:58 UTC 2006


On Sat, Mar 11, 2006 at 03:26:43PM +0000, John Winters wrote:
> On Sat, 2006-03-11 at 13:58 +0000, Bruce Richardson wrote:
> [snip]
> > Why not go the distance and make it entirely irrelevant?  Two options
> > for this:
> > 
> > 	1.  Empty root password
> > 	2.  Different randomly-generated root password on each box
> > 
> > Option 1 can be very safe if you put a little thought into it, since
> > most user-authenticated applications can be made to refuse root logins
> > and/or refuse access to accounts with blank passwords.
> 
> I'm not sure what you mean by a "user-authenticated application", but
> surely if you have an empty root password then one can log on as root
> just by typing "root" at the user prompt and pressing enter at the
> password prompt?  Do you mean you want to put something like "*" (which
> nothing will encrypt to) in the password field instead of having it
> blank?
> 
> [snip]
> > Comments welcome.
> 
> What about when the fsck detects errors during boot and the system says,
> "Enter root password to run fsck interactively"?

One could set init scripts to not require a root passwd to run fsck,
assuming that access to the console is externally controlled, perhaps
by the remote ILO management service itself.

Dan.
-- 
|=-            GPG key: http://www.berrange.com/~dan/gpgkey.txt       -=|
|=-       Perl modules: http://search.cpan.org/~danberr/              -=|
|=-           Projects: http://freshmeat.net/~danielpb/               -=|
|=-   berrange at redhat.com  -  Daniel Berrange  -  dan at berrange.com    -=|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20060311/de203881/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list