One of the questions is exactly what are you attempting to accomplish? When it comes to root passwords, one of the things you need to consider is that is the password to use when things have all fallen apart. You don't have net, you may not even have full filesystem access. ie password protected single user access. Many of the one-time password solutions fall short in those setups and you now have a machine that you may not be able to get into.
There are a number of ways you can protect/restrict the use of the actual root password. It should be console access only. No root logins over net, no or very limited "su" accesss, etc. Its' been a long time since I needed to use a root password other than in an emergency situation. So next is under what circumstances do you need root access? Are you using "su" where you need the root password, or "sudo" where the it's user credentials via pam that are needed? There are lots of solutions in the OTP realm for the sudo access methods. There are things like Cryptocard, RSA, but I think these are what you refer to as expensive and bloated. I haven't tried YubiKey yet, but look real interesting and cheap. http://yubico.com/yubikey Their web page indicates $25 each or $750 or 50. Larger purchases get it down to $10 each from what I see on the web. Tie these units into your pam modules for sudo access and you don't have users with reusable passwords getting root on your boxes. Mathew Snyder made the following keystrokes: >I'm trying to find a suitable password management application. The >primary need is to allow for one-use passwords for root. I installed >KeePass to see what it offers, but I'm less than satisfied with the >configuration of the TANs. Namely, associating the TAN with a server >is a bit kludgy and not optimal. > >Are there any other applications out there that you folks have used >that are more-or-less free (as in beer) or at least not some kind of >unnecessarily bloated application that requires an equally >unnecessarily bloated license? > >-Mathew > >"When you do things right, people won't be sure you've done anything >at all." - God; Futurama >_______________________________________________ >Tech mailing list >[email protected] >https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech >This list provided by the League of Professional System Administrators > http://lopsa.org/ _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
