[colug-432] password survey
Brian Miller
bnmille at gmail.com
Sat May 24 12:19:57 EDT 2014
On 05/22/2014 06:52 PM, Scott McCarty wrote:
> For keys there are definitely guidelines. Here is an old article I wrote, but still very important data:
>
> http://crunchtools.com/ssh-keychain/
>
> See sections: Key Length & RSA vs. DSA
>
> Best Regards
> Scott M
>
So, my original post wasn't asking for policy guidance. I was looking
for examples of what people actually do. As part of a consolidation
effort, we are likely to have over 1000 UNIX/Linux servers under a
single management group. The proposed security standard wants us to
have 8+ characters, and to change them every 90 days. My initial
thought was that if I'm on the management team, they had better give me
at least one day every 3 months just to manage MY passwords, since there
is no initial plan to have centralized authentication with LDAP. And
have they planned enough manpower to handle user password change/reset
requests (estimating an average of 6 non-admin user accounts per
server)? I'm trying to argue that if we combine SSHD with tcpwrappers
(we are looking at a total of maybe 12 Class-C/B subnets from which
users would need to connect, and most servers would only need 3 or 4 of
them) that would effectively give us 2 factor authentication, so we
shouldn't have a need to change passwords at all.
But thanks for the links.
More information about the colug-432
mailing list