-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian LaMere wrote: > what I'm not doing. I don't want to use the forever passwords that > Tracy suggests. I want to actually change them, like mandated.
Honestly, I really don't care for forever passwords either. > being whimsical with root, IMO. Grub has a password. Root has a > password. I simply would like a CLI tool for storing said passwords. You password protect your grub? When I run into a password protected grub I just boot it from floppy or USB key or PXE boot over the network or if the BIOS itself is passworded I just pull the whole drive out. Physical access means all bets are off. > That tool, and the database that it is on, WILL be physically secure. > Physically secure to the extent that you don't just have to steal my > key to get in, you also have to steal my *finger*, as it uses a > combination biometrics and reg key. Also, that just gets you into the Using ssh keys for authentication is *safer* than just using a root password such as you are doing now. Because it is a two-factor authentication. You have to possess the key *and* know the password to decrypt it. Someone simply stealing your key doesn't gain them anything if they can't get your password. And if they can get your password they can defeat your current system of using only passwords as well. > No, I'm saying "you're making lots of completely incorrect > assumptions." I have no physical access to the systems, and despite > what Tracy suggests when he suggests that grub alterations can be > casual but root can never ever be used, I treat grub alterations > seriously and there are in fact limited, yet important, uses for root. I never said grub alterations can be casual. They are last resort when the system won't boot because of needing to get into single user mode only. And really a grub alteration isn't needed if you already have pre-configured a grub config that will append init=/bin/sh. You can just choose that one from the friendly menu. > Since half the systems are HPUX in trusted mode, and one can't just > tag init=/bin/sh on the end of the kernel for hpux in trusted mode, I > want a solution that works for *all* my systems, not just a quarter of > them. Single user mode on HP-UX: 1. Interrupt the boot process when prompted. 2. Type boot pri isl at the prompt. 3. At the ISL> prompt:, type hpux -iS /stand/vmunix Nope, don't need root passwords here either. :) > key-based auth for root? Not happening, even if it wasn't disallowed > by the DoD. That's a shame because it actually provides better security, as I noted above. > After looking elsewhere today, it seems the best thing for me to do is > simply write my own db managed by a perl utility, which encrypts the > passwords individually so they can be viewed individually (versus the > whole file being in an encrypted filesystem, or such). Retrieval, as Hopefully you will GPL it so that others who have a similar need can find the solution that you sought as well. Next time someone asks this question we will say "Ah, You need Brian Lamere's excellent password management tool!" :) > is will start jailing people). When an ER is down though, anything > that gets it back up sooner is what needs to happen - not some > philosophical debate on whether root should exist at all. If root > shouldn't exist, why does it? I'm not talking about logging in as > root, starting X, running firefox, etc. I'm talking about needing it > in single-user mode, since I have to force single-user mode to still > require a password. You are right. The philosophical debate should have happened before the systems were even installed in the ER. Why does root exist? Historical baggage from a day when Unix machines were not connected to networks and everyone trusted each other. And it was never really a good idea even then. Now we need accountability and root doesn't provide that except as provided by your time consuming "Hey, who opened this envelope?!" system. Hey, we're just trying to be helpful! (and not succeeding) - -- Tracy R Reed Read my blog at http://ultraviolet.org Key fingerprint = D4A8 4860 535C ABF8 BA97 25A6 F4F2 1829 9615 02AD Non-GPG signed mail gets read only if I can find it among the spam. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGZQw39PIYKZYVAq0RAr+4AJ4jkuKbEe0HnvGTB56kOJvGJy84igCfc1T7 srG+TkbwXgOLk10io9fwVO4= =2YNP -----END PGP SIGNATURE----- -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
