Brian LaMere wrote:
No, it *must* ask for a password. in "trusted" mode, HPUX does precisely that. I also must make root require a password with single-user in any other UNIX variant we use. It's actually not that hard to do, either.
Even that isn't enough, if you do not secure the machine physically, all passwords are useless. I can just pull the drive and smack the password or reset the NVRAM.
What people are trying to tell you is that static passwords give you far more illusion of security than real security. If you get even a *single* compromise that allows sniffing then your security is shot for the entire system; you have no defense in depth.
In return, you are sticking your fingers in your ears and going "LA LA LA LA I CAN'T HEAR YOU!".
Now, you may be constrained by the current system, current politics, current budget, etc. However, blowing 96 hours *per year* (2+ man-weeks!) just to change passwords *screams* for an actual solution rather than a band-aid.
As a side note, you might want to think about how you could coopt authorized_keys and the ssh key management utilities. They would seem to be a better match.
-a -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
