Chris's Wiki :: blog/sysadmin/PasswordChangeNotes

An observation from changing my password

September 5, 2010

I've changed my password at work, or started to change it at least (this will be an extended process). Doing this has reinforced some things that I know but rarely think about, and exposed a surprising inconvenience in how I do things.

The big thing is that you don't really remember how many machines you have accounts on until you try to work out how many different places you need to change your password. This is not really an issue for users (if us sysadmins are doing our job right, they change their password once and it magically propagates everywhere), but as a sysadmin I have access to all sorts of isolated machines that are not part of our password propagation system. Which means that I get to change my password on all of them, assuming that I can remember what they all are.

(In looking at this, I see that usermod on Linux machines actually has an option to just staple a new encrypted password into place. This reduces the problem to running a command as root on most of those machines, which is a mostly solved problem around here. In fact, I was already using 'run a command everywhere' to check /etc/shadow to see if I'd updated my password by looking at the last-changed field.)

The surprising inconvenience is that I have set up ssh identities to give me passwordless access to my account on most machines; in fact, a lot of my usual environment relies on it. This did not strike me as a problem until I changed my password and suddenly started wanting to type the new one as much as possible to reinforce it in my mind and my fingers. Suddenly all of that passwordless access was inconvenient as well as convenient, since it meant that I'm really not typing my password all that much. This has both surprised and amused me, because sometimes I am easily amused by the perversities of life.

(Turning my ssh identities off completely would likely make various parts of my environment explode in even less convenient ways, so I've resorted to modifying an ssh cover script I already had lying around to turn this off, and using the cover script periodically just to reinforce things. You might wonder why I have an ssh cover script lying around, one that I do not mind hacking up this way; the answer is that it's set up to ignore my known-hosts file, which is very convenient when you keep reinstalling virtual machines that you want to ssh in to.)

Comments on this page:

From 173.206.100.3 at 2010-09-06 07:50:16:

I am a professional pen tester. FYI: We love sysadmins who use the same password everywhere. :-)

Using a different password for your workstation is enough to make an attackers life more difficult. If an attacker compromises your workstation they will have access to your sshkeys, but if you are careful with what you put in sudoers the attacker will not instantly have root access on all of your systems.

By cks at 2010-09-06 23:34:06:

We have too many machines for me to use different passwords on even different classes of isolated machines; there's only so many passwords I can sensibly remember, and I am biased towards convenience over absolute security.

(After all, if I cared about absolute security I would already be using one-time passwords of some sort, both for my regular account and for root access. Sometimes I think that this would be great, and then I remember that I would strangle myself, never mind my co-workers.)

In good news, we don't use our own passwords to gain root access so knowing my password would get a pen tester only marginally further towards straightforward root access. I don't think that there is anything truly dangerous that my account has direct access to or powers over, although I could be wrong; it's sadly easy for things to slip through the cracks.

Written on 05 September 2010.

«	A plan to deal with my feed reader problem

Sorting out DomainKeys and understanding its limits