Assigning ROOT a password
Derek Broughton
news at pointerstop.ca
Mon Apr 28 14:14:28 UTC 2008
Larry Hartman wrote:
>> The reason for not having a root password is to prevent the
>> software that is used to crack passwords from being able
>> to get to your system.
>>
>
> huh? I am dizzified by this statement.
If you know a username on the system, you're halfway to cracking an account.
Having a user named "root" is just silly.
> Seems counterintuitive to all that I have been taught about user account
> security. I can hear the MS sys admins hollaring now, use a 16-digit,
> random, 4 special characters, 4 lower-case, 4 upper-case, and 4 numbers
> password!
>
> If the above is the case, it leads to the next question, why assign any
> passwords for other usernames?
Sorry Larry, I just can't parse a meaningful question out of that.
Who "assigns" passwords? What does MS have to do with the question of
what's a safe password (I was hearing these sorts of suggestions before any
of us had a Windows computer)? And what does the complexity of the
password have to do with whether it's root's password or a user's?
> I'd like to know the logic behind the
> above quoted statement better....and what distinguishes security for root,
> vice security for a username that uses its own password for SUDO access,
> that can lead to root access?
A shared secret is not a secret. If more than one person knows root's
password, assume it's not a secret. Using sudo, you know _who_ got root
access. It's not so much having locks on the house, as having a security
camera to see who comes in.
I administer a CentOS system that has a root account. I don't know the root
password; since I've never had physical access to the system, I probably
couldn't ssh in as root anyway; and I've never had any trouble
administering it via sudo.
--
derek
More information about the kubuntu-users
mailing list