Assigning ROOT a password

Larry Hartman larryhartman50 at vzavenue.net
Tue Apr 29 00:05:05 UTC 2008


On Monday 28 April 2008 07:14:28 am Derek Broughton wrote:
> Larry Hartman wrote:
> >> The reason for not having a root password is to prevent the
> >> software that is used to crack passwords from being able
> >> to get to your system.
> >
> > huh?  I am dizzified by this statement.
>
> If you know a username on the system, you're halfway to cracking an
> account. Having a user named "root" is just silly.
>

Ok, I think this brings me full circle back to another post I made on same 
thread....are you really saying that the root account is disabled, vice 
saying that the root account is enabled but without a password?

> > Seems counterintuitive to all that I have been taught about user account
> > security.  I can hear the MS sys admins hollaring now, use a 16-digit,
> > random, 4 special characters, 4 lower-case, 4 upper-case, and 4 numbers
> > password!
> >
> > If the above is the case, it leads to the next question, why assign any
> > passwords for other usernames?
>
> Sorry Larry, I just can't parse a meaningful question out of that.
> Who "assigns" passwords?  What does MS have to do with the question of
> what's a safe password (I was hearing these sorts of suggestions before any
> of us had a Windows computer)?  And what does the complexity of the
> password have to do with whether it's root's password or a user's?
>

This question is linked to the one I just asked above.  If root account exists 
but has no password, then my thinking suggests that it would not matter if a 
user with sudo priviledges has a password or not, despite how complex it is.

> > I'd like to know the logic behind the
> > above quoted statement better....and what distinguishes security for
> > root, vice security for a username that uses its own password for SUDO
> > access, that can lead to root access?
>
> A shared secret is not a secret.  If more than one person knows root's
> password, assume it's not a secret.  Using sudo, you know _who_ got root
> access.  It's not so much having locks on the house, as having a security
> camera to see who comes in.
>

This makes sense in light of my second comment on this same email.  Prohibit 
any root account access, force all access through individual users, now you 
have an audit trail.  

This works until one considers accessing the system in failsafe mode, which 
appears to have root access w/o password.  So in failsafe mode root account 
is enabled?  Could someone remotely reboot system and go into failsafe from 
that remote location?

> I administer a CentOS system that has a root account.  I don't know the
> root password; since I've never had physical access to the system, I
> probably couldn't ssh in as root anyway; and I've never had any trouble
> administering it via sudo.
> --
> derek


Please help me I am slow.

Larry




More information about the kubuntu-users mailing list