Mike Tierney wrote
If anyone is *REALLY* determined they can
1) Cut the padlock 2) Pop the case and clear the BIOS password via jumpers
Right. So whenever a user has physcial access to the hardware, you can't do much to prevent him from hacking into the system. And a user who should recover a broken system when I'm off, should have access to the server he needs to recover, so... I think the question here is: How easy should it be for someone to get root access? If users know the root password by default, they tend to use it from time to time "to do a little fix or install a little program because the admin has already gone home...", and that's what we don't want. In case sth. breaks while I'm not in the office, a pre-selected user opens a sealed envelope. I see this when I'm back and change the password again to avoid this user doing "a little fix or..." :-) Because this user must have a key to the server room, I must trust him that he does not open the server and resets the bios to break in. And if I trust him this way, I can also trust him that he does not install a backdoor after opening the envelope and working as root to fix the server. That's the deal. Nothing more. And all I want to reach is to give this user a different root password than my usual root password, so that I don't have to change mine after the envelope was opened.
3) Change the BIOS back to booting from CDROM and pop in a boot disk 4) Not sure how they'd deal with the encrypted disks! Maybe get a job as a cleaner and install a keystroke logger on the keyboard a few weeks beforehand...?
So all of a sudden leaving the root password in a sealed envelope that's stored in a locked filing cabinent doesn't sound so bad after all!!!!
Especially not for a chair with 10 people where we all know each other very well and everyone knows where to get the key to enter the server room :-) -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: -4054 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *