Siju George wrote on Sat, May 06, 2006 at 09:31:39AM +0530:
> On 5/6/06, Bob Beck <[EMAIL PROTECTED]> wrote:
>> somebody asked:
>>> How do you people store passwords in OpenBSD if you have so many of
>>> them and would need to copy one of them to a password prompt while
>>> others are aroud you watching your screen?
>> (ahem) I simply wouldn't do this. it's stupid.
[....]
>> This would fall under the category of
>> DON'T WRITE YOUR PASSWORD DOWN ANYWHERE!
> Just taking a rough Estimate I need to remember about 70 passwords
[...]
This kind of setup does not seem very convincing to me in the first
place... When running large numbers of servers, wouldn't it be a
better policy to
1) have each server admin generate one RSA key with a strong personal
passphrase on one properly configured and closely controlled central
login server;
2) have admins login to the various other servers using this key
only and from this central server only, disabling password access
for admin accounts even when allowing password access for user
accounts;
3) grant admin users sudo access as required on each individual host.
In case you are serving 70 different clients, you could do essentially
the same thing, except that you would use one of your personal
machines having permanent internet access in place of the login
server mentioned in 1).
PermitRootLogin no in sshd_config(5) goes without saying anyway,
doesn't it?
