[CentOS] crontab and gedit

Fri Jan 25 04:17:49 UTC 2013
Keith Keller <kkeller at wombat.san-francisco.ca.us>

On 2013-01-25, Cliff Pratt <enkiduonthenet at gmail.com> wrote:
>
> I used to think that, but a password is almost always recoverable, on
> more or less any Linux system.

In the San Francisco case, the passwords in question were for Cisco
routers and other networking equipment.  Those are probably much harder
to recover/reset, and much more inconvenient to do.  I believe that
getting someone in to reset the passwords would have been a few
thousand dollars and taken the entire city government network down for
at least a day, possibly longer.  (At least that's what we were told
at the time.)

In addition, consider this not-terribly-likely scenario (though probably
no less likely than me getting hit by a bus):  I get mugged, my phone
with my Keypass file on it is stolen, and I'm left unconscious.  In this
case my manager probably wants the passwords changed as quickly as
possible, just in case the thief wants to try to crack my Keepass
encryption and crack our servers.  Given a choice between having to hire
someone incredibly expensive to reset all the passwords right away (and
hope that he's gotten all of them!) (including the passwords for the
non-linux boxes) and having the passwords right in front of him, I am
guessing that most managers would choose the latter.

One compromise solution would be to share the Keepass file with your
manager, and keep the keyfile and/or passphrase with someone trusted
(either the manager or someone else).  This way there is an independent
record of the passwords but they are still encrypted.  If the password
file is on a USB stick, then it's also not on the network and at risk of
remote copying.

Think of it as RAID1 for your passwords.  Sysadmins love redundancy!  :)

--keith

-- 
kkeller at wombat.san-francisco.ca.us