Re: Password Aging and System Accounts

From: Adam Price (adam+usenet_at_pappnase.co.uk)
Date: 02/19/04 

Date: Thu, 19 Feb 2004 07:29:56 +0000

On 18 Feb 2004 14:26:44 -0800, F Moore wrote:

> Password aging works wonderfully. However, if it's the root account,
> and you don't log on and change it before it expires, you can wind in
> a heap of trouble! Not being able to use the root account (su -)
> creates all kinds of problems, both with current activities, as well
> as taking systems down to recover the account.
>
> Being that we're sysadmins with ultimate authority on the systems we
> maintain (we are in fact the ones who implement the aging policy), and
> that our company has entrusted us to secure passwords, does anyone
> have a policy where they don't age their root passwords? We're trying
> to sell this one exception to the general policy to our IT managers,
> but they want a "best practice" document to show that it's somewhat
> common in the industry.
>
> Has anyone seen anything out there by Sun or any security sites that
> might help us sell this?
>
> TIA
Remember that Policy and Mechanism are not the same, you can always make
the Policy of password aging apply to the root account, and make the
mechanism different. You as custodians of the systems should be
trustworthy enough to change the root password as needed. The users may
have other roles and so need there hand 'forced' by a password aging
mechanism.
On the other hand...
On our unix systems we tend to setup password aging such that the lockout
only applies to remote logins. Logins from the system console as root are
always accepted. That way we comply with policy and still have a 'get out
of jail' card.
We also make extensive use of sudo and each of the admins has the rights to
run a shell under the sudo environment, providing another way around the
problem.
The last secure solution I can think of is to install the relevant public
keys of the admins and allow them to ssh into the box. Not so keen on this
one personally though as it seems to encourage people to login as root when
the task they are performing could easily be done as a none root user.
I'm not sure which of these can be implemented under Solaris as none of our
systems run it, but I would have thought that making the policy universal
is still the right thing. After all if the root password is compromised it
is so much more of a problem.
Adam

Relevant Pages

  • Re: Password Aging and System Accounts
    ... > have a policy where they don't age their root passwords? ... the Policy of password aging apply to the root account, ... Logins from the system console as root are ...
    (comp.security.unix)
  • Re: GPO Limts
    ... The exception to these rules is block policy inheritance, ... The Computer section of a GPO is applied during boot-up. ... Computer OU (diffrent GP applied with same entrys) ... same entrys as both root and computer) ...
    (microsoft.public.windows.server.active_directory)
  • Re: [kde-linux] Hotplug (USB) Problem with KDE 3.5.5 - dbus/hal - SOLVED
    ... Not by adding ALL users to the group 'plugdev' ... ... dbus and hal. ... If you look at the config file '/etc/dbus-1/system.d/hal.conf' you can find the following policy ... # Xstartup - run as root before session starts ...
    (KDE)
  • Re: Is Fedora, or Linux in general, vulnerable to a "paging exploit" like Vista appears to be?
    ... more fun things to do than scribble on swap space. ... You may need policy adjustments if you're ... That file won't be writable by anyone other than root. ... implemented a policy with Vista that only drivers "Signed" by Microsoft ...
    (Fedora)
  • RE: Password Aging
    ... If everyone's password is the exact same age this method ... After the policy is set to 60, all users will be staggered to change their ... Directory Services ... >My company wants to enable password aging on and set it to ...
    (microsoft.public.win2000.security)