On 6/4/07, Tracy R Reed <[EMAIL PROTECTED]> wrote:
Brian LaMere wrote:
> What do you do, then, when a server in germany fails (and you're in
> San Diego), and through your remote console access you see the ctrl-D
> login? The one that only accepts the root passwd? We don't use root
I reboot with init=/bin/sh bypassing that script. Ubuntu also locks the
root account by default. They have a special grub boot option which
probably does something similar to what I do.
you're still making assumptions; the site servers aren't all linux.
Half of them are HPUX with all the tcb features running. Most of the
linux systems are still using lilo.
Further, the point is that root is still a viable account, and can and
should be used in limited situations. Ubuntu isn't cleared to be used
in the DoD, either. Even if it was, I wouldn't use it; not a fan, for
various reasons.
> system for hours if it comes up in single-user mode, and even in
> single-user mode it must ask for a password. We don't have physical
> access to any of these systems, but we do have console access via
> com1.
I wouldn't exactly say it "must" ask for a password. Anyone with console
No, it *must* ask for a password. in "trusted" mode, HPUX does
precisely that. I also must make root require a password with
single-user in any other UNIX variant we use. It's actually not that
hard to do, either.
Further, you're being rather whimsey with your grub password - what's
the point in being so restrictive with root, if you can get around it
so easily? I, on the other hand, have a password for grub as well -
one that I have to change too. I have to set things so that those who
know the grub password (hardware support folks), still don't
necessarily have root access. That, and only a few sites are even
using grub, or are even a recent linux variant. Most are running
older installs of Linux (old enough to be using lilo...sigh), IRIX, or
HPUX.
or a local python script which does the same thing. The DoD password
rules are far from optimal. It's unfortunate that you have to spend so
much time on this because of them.
ok, and again - I'm not asking for a lesson in security. I'm looking
for a good password repository that runs on linux, with a cli. If it
helps you to completely not worry about what the passwords are for,
please do so.
Is it unfortunate? I don't think so, we make a lot of money from the
DoD. The CCRA also makes similar requirements, and we have to keep up
with them on our non-DoD sites. And beyond all that, I personally
think that it's a good idea to change passwords. Call me whacky ; )
And yes, there are indeed very limited, yet important, uses for root.
Interesting system. Perhaps you could automate the changing of the
passwords using an expect script (we did this at MP3.com) and then have
the script which generates and sets the passwords dump all of the
passwords to a text file to be used next time it has to login and change
passwords. You could host the whole thing on a USB key so the passwords
get written out to the USB key and then keep the USB key in a safe. You
could have the script print out a page with each hostname/password on it
as it changed them to be stuffed in envelopes etc.
I could write a perl utility that gets data from an encrypted db it
creates, but I like the idea of not re-inventing the wheel. My
thought was that the need was obvious and non-far-fetched enough that
the repository itself might already be done so I don't have to put so
much thought into the security of it, and tools do actually exist
(PasswordSafe, for example) that run on windows. If PasswordSafe v3
existed for Linux, I'd not have even asked the question; I'd be using
it. Or further, if Crypt::Pwsafe had more than just read-only
access...
> Anyone know of a password repository for linux that is any good? Sans
> assumptions about what my environment is like? ; )
I am mostly having this discussion for the benefit of less experienced
admins. :) However it is also common that people post saying "I need to
know how to do this" when upon further examination they didn't really
need to be doing that at all. For anyone outside of a DoD environment
this kind of password policy is totally counter-productive to what you
are likely trying to do so don't think that because this is how the DoD
does it it is actually a good idea for home or business. :)
Mayhaps, but most people don't need ~150 root passwords in their home
or small business, so I wasn't speaking to that audience ;) I don't
personally understand why people run numerous servers at their house
at all, really.
Brian
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
