On 6/4/07, Tracy R Reed <[EMAIL PROTECTED]> wrote:
Brian LaMere wrote:
> Anyone know of an open-source password repository utility for linux?
I just use a crypto-loop mounted encrypted filesystem containing a text
file with the usernames and passwords in it.
Won't solve the problem; becomes an all/nothing situation, which isn't
very friendly.
> We have ~150 separate root passwords to keep track of, and our current
I solve this problem by getting rid of root passwords. Nobody should be
using them. There is no accountability. Configure and use sudo instead.
I put a * in the password field of root in /etc/passwd.
What do you do, then, when a server in germany fails (and you're in
San Diego), and through your remote console access you see the ctrl-D
login? The one that only accepts the root passwd? We don't use root
passwords except in an emergency, but they are certainly necessary
from time to time. I'm truly not asking for a lesson in security, I'm
asking for password repository suggestions. The root account does
indeed have a purpose, even if it is limited. We can't hassle with a
system for hours if it comes up in single-user mode, and even in
single-user mode it must ask for a password. We don't have physical
access to any of these systems, but we do have console access via
com1.
> Note that this isn't for general accounts, so ldap/nis/etc isn't
> valid; we've just got a lot of root passwords to keep track of, and
> they all have to be different.
If ldap etc would be valid for general accounts this would be another
reason to do away with root passwords.
You're making assumptions. We're already using ldap for most the
sites, but using ldap for the root password is a bad idea :) Was just
throwing that out there in case someone suggested I just use ldap -
I'm looking for a solution for /root/, not a general account.
> Currently, about 12 hours is spent every 6 weeks, changing passwords.
I am also generally against gratuitous changing of passwords as it
So you'd leave the same root password forever? DoD won't allow it
anyway, so moot point.
But really I would recommend just writing down the root passwords and
storing them in a safe place like your office or in the server room. If
you don't have physical security you don't have any security anyway,
right? So if it's good enough for storage of the physical machines it is
good enough for storage of the written root passwords.
Which is what we currently do; write ~150 root passwords on bits of
paper, 1 password per envelope, seal the envelopes, if an envelope
gets opened the password has to be changed, the password also has to
be changed every 6 weeks, and those ~150 envelopes live inside a
fireproof safe. Half the time I can't read the damn things, but I
guess people could print out the text to get around that. It also
takes a day and a half, every 30 days (28 days, really, because you
don't want them to expire...) to change. It's messy, and silly IMO.
It's also bad security IMO.
Thus the reason I was asking the question ; )
Anyone know of a password repository for linux that is any good? Sans
assumptions about what my environment is like? ; )
Brian
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
