|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Andrew Raphael (raphael
research.canon.com.au)Date: Thu Feb 01 2001 - 22:18:10 CST
Yoel Inbar <yoeldigitalfountain.com> writes:
>On Thu, Feb 01, 2001 at 10:26:24AM -0800, Yoel Inbar wrote:
>> So don't use the same root password on all your machines.
>Indeed. But is that how the real world works? If you have 50 servers,
>how is that managed?
Yes. In my little corner of the real world, all the Unix machines have
different, randomly generated, horrible root passwords. I generate
them using "jot" & "rs" on an OpenBSD machine and store them in a Palm
using Cipher (http://www.klawitter.de/), and hardcopies are kept in a
locked safe.
OPIE and S/KEY are used to get root access for SysAdmins. The
passwords are used only for single-user mode access.
>As my original email said - perhaps the answer to use ssh to connect in as
>root? Is the lack of accountability really that bad? That appears to be
>the only downside.
We use this for general purpose machines inside the perimeter only.
The soft, chewy centre. Our more-secure machines can ssh to general
purpose machines as root using public key authentication only. No
passwords. Our more-secure machines can be used only by SysAdmins, and
they're OpenBSD machines.
I class our machines as General, Interior (more secured), Perimeter
(most secured), Exterior (most secured, expendable). There are
different passphrases for each class of machine. Only General machines
allow ssh to root.
Regards,
-- Andrew Raphael <raphael
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]