On Sat, 24 Jul 2004 18:47:15 +0200, Médéric BOQUIEN
<mederic.boquien(a)laposte.net> wrote:
For the people with root access, i'll send the
password of each server
Not trying to start a flame-war or anything.. but I really suggest
just using RSA/DSA keys for root access as well.
The traditional policy of "log in as a regular user, then su to root"
is actually less secure than just using key access. People only stick
with it because of inertia.
In ye olden days before strong public key encryption, passwords were
sent in plaintext, so it made sense not to log in directly as root (to
make things slightly more difficult for packet sniffers).
Using su is more secure than direct login with plaintext passwords.
But we don't use plaintext passwords anymore. We use strong
encryption. Strong encryption is more secure than su. Using su is a
security risk nowadays. Your security is only as strong as the
weakest link, and su is a weak link.
If somebody compromises a user account capable of using su, then it's
trivial to modify that user's PATH and put in a fake su script that
spoofs a failed login, sends the password to Bad Guy, and then removes
all traces of itself.
It also makes it simpler to add or remove root access, if you only
have to worry about changing the authorized_keys file, rather than
changing the password and re-notifying everyone. Passwords are a
security risk, and should basically never be used (I actually disable
password logins entirely on most of my production machines, and force
everybody to use pub keys for everything).
Just my $0.02 (US).
-Bill Clark