> From: Mathew Snyder [mailto:[email protected]] > > As > for the two-factor options, while we are required to have one in place > for certain things such as VPN access, we aren't required to have it > for server access and it would simply be too much overhead to deal > with on our little team.
You're saying 2-factor is unnecessary and too much work for your little team - but 2-factor is a well established and well supported standard that completely solves this problem, meanwhile you're spending your cycles looking for an alternative. Suppose the root password was always static, "12345" and you were using something like securID (which I hate, but I'm sure a suitable alternative exists). Then you've got a device which is always generating single-use passwords. Voila. Also, (and I think this is actually a good practice) you could simply disable root password completely. Enable sudo. Authenticate against a directory service (such as AD) that will enforce user password change policy and complexity requirements. Whenever you want to become root, you run: sudo su - Lastly, you could stick something into the login script. When root logs in, run something like randchars (see nedharvey.com) to generate a new password, and launch passwd. So the user would make a habit of copying the new pass, pasting into the passwd prompt, and also pasting into whatever (keepass etc) mechanism you're using. No matter what, you should enable sudo. Because no matter what, there is some risk of losing the actual root pass. And then sudo is your only option to recover. _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
