Rob van der Heij wrote:
On 8/30/06, McKown, John <[EMAIL PROTECTED]> wrote:
If I were doing this in a business environment, I would insist on
digital certs and not even allow the use of passwords (and disable
telnet as well, for that matter). That would only leave logging in via
the "console" under z/VM and/or the "HMC Integrated ASCII terminal" for
non-SSH logins. I actually run z/Linux under Hercules/390 for my
In my former life we had inittab automatically logon root on the VM
console, so that was protected by z/VM RACF and LOGONBY (and SCIF ...)
And we used sudo without password to issue privileged commands from
our personal account (access via cryptic keys). So nobody needed a
root password and there was no risk of someone else finding and using
it.
Unfortunately the auditors required that we set a root password and
change it every now and then. Which means there *is* a root password
and someone might find it, and we're off worse than without. Sigh.
So use a password generator to create a password (Debian has apg, 7 I've
also used one that's part of expect), automate the process and never
record the current password, let alone use it:-).
If you use keys w/o passphrases, then you're authenticating computers,
not users. Anyone who can pinch my computer can login anywhere I do, if
I don't use a passphrase too.
For me, that's fine, I don't have a squillion-dollar company to keep safe.
--
Cheers
John
-- spambait
[EMAIL PROTECTED] [EMAIL PROTECTED]
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
do not reply off-list
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
