On Sat, 24 Jul 2004 18:47:15 +0200, Médéric BOQUIEN mederic.boquien@laposte.net wrote:
For the people with root access, i'll send the password of each server
Not trying to start a flame-war or anything.. but I really suggest just using RSA/DSA keys for root access as well.
The traditional policy of "log in as a regular user, then su to root" is actually less secure than just using key access. People only stick with it because of inertia.
In ye olden days before strong public key encryption, passwords were sent in plaintext, so it made sense not to log in directly as root (to make things slightly more difficult for packet sniffers).
Using su is more secure than direct login with plaintext passwords. But we don't use plaintext passwords anymore. We use strong encryption. Strong encryption is more secure than su. Using su is a security risk nowadays. Your security is only as strong as the weakest link, and su is a weak link.
If somebody compromises a user account capable of using su, then it's trivial to modify that user's PATH and put in a fake su script that spoofs a failed login, sends the password to Bad Guy, and then removes all traces of itself.
It also makes it simpler to add or remove root access, if you only have to worry about changing the authorized_keys file, rather than changing the password and re-notifying everyone. Passwords are a security risk, and should basically never be used (I actually disable password logins entirely on most of my production machines, and force everybody to use pub keys for everything).
Just my $0.02 (US).
-Bill Clark