[colug-432] password survey

Brian Miller bnmille at gmail.com
Sat May 24 15:17:52 EDT 2014


On 05/24/2014 02:48 PM, Scott McCarty wrote:
> Check out FreeIPA, it can do centralized key management for Linux/Unix.
> Supported versión comes with any Red Hat Enterprise Linus subscription.
>
>
> Sent from my Verizon Wireless 4G LTE smartphone
>
>

It's not that we don't want a centralized authentication source.  But we 
are combining servers from at least a dozen agencies.  As far as I know, 
we are the only one that has begun to use LDAP.  But all of our servers 
haven't been converted, and we have no centralized LDAP that has users 
from all the agencies.  That's likely a year away.

I wouldn't mind a 30 day password change policy if I could change it in 
one location for all 1000 servers.



> -------- Original message --------
> From: Brian Miller
> Date:05/24/2014 12:19 PM (GMT-05:00)
> To: colug-432 at colug.net
> Subject: Re: [colug-432] password survey
>
> On 05/22/2014 06:52 PM, Scott McCarty wrote:
>  > For keys there are definitely guidelines. Here is an old article I
> wrote, but still very important data:
>  >
>  > http://crunchtools.com/ssh-keychain/
>  >
>  > See sections: Key Length & RSA vs. DSA
>  >
>  > Best Regards
>  > Scott M
>  >
>
> So, my original post wasn't asking for policy guidance.  I was looking
> for examples of what people actually do.  As part of a consolidation
> effort, we are likely to have over 1000 UNIX/Linux servers under a
> single management group.  The proposed security standard wants us to
> have 8+ characters, and to change them every 90 days.  My initial
> thought was that if I'm on the management team, they had better give me
> at least one day every 3 months just to manage MY passwords, since there
> is no initial plan to have centralized authentication with LDAP.  And
> have they planned enough manpower to handle user password change/reset
> requests (estimating an average of 6 non-admin user accounts per
> server)?   I'm trying to argue that if we combine SSHD with tcpwrappers
> (we are looking at a total of maybe 12 Class-C/B subnets from which
> users would need to connect, and most servers would only need 3 or 4 of
> them) that would effectively give us 2 factor authentication, so we
> shouldn't have a need to change passwords at all.
>
> But thanks for the links.
>
>
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432



More information about the colug-432 mailing list