[Gllug] Why have root passwords at all?
Matthew Cooke
mpcooke3 at hotmail.com
Sun Mar 12 01:03:11 UTC 2006
>From: Tethys <sta296 at astradyne.co.uk>
>Reply-To: Greater London Linux User Group <gllug at gllug.org.uk>
>To: Greater London Linux User Group <gllug at gllug.org.uk>
>Subject: Re: [Gllug] Why have root passwords at all? Date: Sun, 12 Mar 2006
>00:09:44 +0000
>
>Bruce Richardson writes:
>
> >If you manage large networks, root passwords are a pain. You have to
> >change them all every time somebody leaves your team or whenever you
> >think a box in the same environment (or group of boxes with the same
> >root password) has been compromised.
>
>You only need to change the root password if your sysadmin team has
>the root password in the first place.
>
> >If you are a responsible administrator you have set up a wheel group to
> >restrict access to the root account and installed sudo everywhere
>
>Exactly.
>
> >Why not go the distance and make it entirely irrelevant? Two options
> >for this:
> >
That reminds me:
One large company that I know of use a central login server that will give
root access to any machine to any technician but will only give out a
certain number of root logins in a given time period, this way the entire
network can't easily be compromised.
This is enforced using ssh keys which *nobody* knows and were generated and
configured directly by the authentication server. Password based direct
access to the machines is not possible so you *have* to go through the
authentication server. This also means technician logins only have to be
revoked on the one machine if they leave the company or become a security
risk. It also means that access to machines is centrally logged so if an
employee goes AWOL then all the machines he's been granted root access to
can be disabled going back X amount of time.
I don't know if root access on the authentication server is possible is
possible but if it is then I guess only the CTO or CEO has it.
They also have other machines whose role is to scan the network for
abnormalities and drop those machines out of the network.
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list