Home page logo

basics logo Security Basics mailing list archives

Re: Password Change Management
From: Jakub Zvěřina <barbucha () gmail com>
Date: Wed, 1 Mar 2006 22:53:53 +0100

IMO, the best solution of this is that admin has his own account and he would manage server via sudo. When he's off, just remove him from sudoers. I do not see anything bad about this, do you? Since you can excactly specify what he can do and where, I think, there is no better way to manage this.

Other way could be let the admins authenticate themselves by public DSA(or RSA) key. It is also easy to remove him from ~/.ssh/ authorized_keys. Changing of passwords is too expensive to do it always someone is "leaving the ship".


On 28.2. 2006, at 22:38, Matt Alexander wrote:

How are others managing password changes?

For example, let's say you have a group of admins with root/admin passwords to everything. Someone either leaves the company or leaves their cellphone (with all their passwords) in a taxi. What procedures do you follow to change the passwords as quickly as possible?

How do you securely distribute new passwords to your admins?

Do you keep a central password repository? If so, how do you ensure that the repository is completely secure?

Has anyone found a good way to completely automate the changing of passwords?

In addition, is anyone using RSA tokens or something similar to get rid of passwords all together?

Many password problems can be handled by having admins use sudo or be a member of an administrators group, etc., but there are times when this isn't possible and I'd like to find a way to improve the process.


The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]