(Domain-like setup)

Hans Fugal hans at fugal.net
Sun Apr 5 20:56:18 MDT 2009


You shouldn't be using something as weak as passwords for logging in
remotely as root anyway. Key-based authentication is much better *and*
more convenient.

Yes, if your workstation is compromised and the compromiser knows your
key passphrase, you are in trouble. But I argue it's still more secure
than a different password for each server (which they could of course
still have their own passwords, for local logins). If you're that
paranoid, change your key passphrase every week and only keep the
private key on removable media that is strapped to your wrist.


Aaron Toponce wrote:
> Jessie Morris wrote:
>> haha. Very funny. Sorry, I've been working and I've been really busy, so I 
>> didn't have much time to reply. Thank you for this response, but just to 
>> clarify, can I use this to log into a linux system. For example, could I 
>> change the root password on the central server and that trickles down to each 
>> of the clients.
> 
> It doesn't "trickle down to each of the clients" like DNS propagates
> from server to server. The account is stored on the remote server,
> rather than locally on the client machine. So when the user logs in,
> they are authenticating against the remote server, rather than
> authenticating against the local client.
> 
> However, don't store the client root account on the LDAP server. Root
> accounts should be kept locally through /etc/passwd and /etc/shadow.
> Also, you'll be tempted to keep the root password the same on all local
> machines. I'd recommend not doing it, and keeping a centralized
> encrypted database with KeePass, or something similar. If you keep all
> the root passwords the same on all machines, and someone gets it, they
> could compromise all your boxen. Sucks for convenience to have all the
> root passwords different, rocks for security.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */


-- 
Hans Fugal ; http://hans.fugal.net

There's nothing remarkable about it. All one has to do is hit the
right keys at the right time and the instrument plays itself.
    -- Johann Sebastian Bach



More information about the PLUG mailing list