[Gllug] Why have root passwords at all?

Matthew Cooke mpcooke3 at hotmail.com
Sun Mar 12 01:03:11 UTC 2006 

>From: Tethys <sta296 at astradyne.co.uk>
>Reply-To: Greater London Linux User Group <gllug at gllug.org.uk>
>To: Greater London Linux User Group <gllug at gllug.org.uk>
>Subject: Re: [Gllug] Why have root passwords at all? Date: Sun, 12 Mar 2006 
>00:09:44 +0000
>
>Bruce Richardson writes:
>
> >If you manage large networks, root passwords are a pain.  You have to
> >change them all every time somebody leaves your team or whenever you
> >think a box in the same environment (or group of boxes with the same
> >root password) has been compromised.
>
>You only need to change the root password if your sysadmin team has
>the root password in the first place.
>
> >If you are a responsible administrator you have set up a wheel group to
> >restrict access to the root account and installed sudo everywhere
>
>Exactly.
>
> >Why not go the distance and make it entirely irrelevant?  Two options
> >for this:
> >

That reminds me:

One large company that I know of use a central login server that will give 
root access to any machine to any technician but will only give out a 
certain number of root logins in a given time period, this way the entire 
network  can't easily be compromised.

This is enforced using ssh keys which *nobody* knows and were generated and 
configured directly by the authentication server. Password based direct 
access to the machines is not possible so you *have* to go through the 
authentication server. This also means technician logins only have to be 
revoked on the one machine if they leave the company or become a security 
risk. It also means that access to machines is centrally logged so if an 
employee goes AWOL then all the machines he's been granted root access to 
can be disabled going back X amount of time.
I don't know if root access on the authentication server is possible is 
possible but if it is then I guess only the CTO or CEO has it.

They also have other machines whose role is to scan the network for 
abnormalities and drop those machines out of the network.


-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list