Restricting root to specific network while leaving other accounts unaffected

[Anthony Verevkin]

> From: "Randy Jonasz" <rjonasz-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>

> > When you have keys in all those systems, I would say security wise,
> > you are worse off. Keys work well if you always originate from one
> > system that you trust. Password that age are far better in that
> > setup.
> 
> Have you looked into a yubikey? http://www.yubico.com

I believe he wants to automate things, and yubikey is again a single use
token entered by a human...

However I too don't see how keys would be less secure than passwords. Yes,
you do set the passwords to age automatically. So if you just disappear and
let the system run, it will eventually stop letting the systems in. And you
now do have a burden of changing the (saved?) passwords on all the 
originating client machines. You would probably want to have something like
cfengine or puppet to do that. The same system can take care of removing the
no-longer-trusted keys from servers.

And in case I was mistaken and you do not have the passwords saved on the
client machines and you have to enter them manually for each run, you could
get the same level of security by encrypting the keys (that's what you
usually do, right?).

Regards,
Anthony
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists