Results 1 to 11 of 11
  1. #1

    Question Root passwd requested over email

    Hi,

    I have signed up for dedicated managed hosting some time back.

    I am just curious what is the normal practise here.
    When server issues arises, the hosting support staff will ask for my server root password using email.

    But i don't feel quite comfortable providing the root password using normal email.

    1) Can't the support staff sulogin to root?
    2) What is the normal practise for requesting the root password?

    Thank you.

  2. #2
    Unless you kept the default root passwd they gave you on set up I dont think there is any way they can login to the system.

    I agree the practise of requestion root password, which is done by MANY hosts I think, is not too good. But what alternative is there?

    Some hosts have a control panel (dont remember which) where you can update (through SSL connection) your root password in their database so they have access on their part - not thus needing to use email. This is a neat feature, kinda.

    Another solution would be to use this PGP encrypted email thing on both sides. But no-one does this?

    Finally, if you are forced to thus send your root passwd by normal email (which is in principle totally unencrypted), make sure you change your rootpaswd after they're done with it

    Some sort of secure standardized way of doing this would very nice.

  3. #3
    Join Date
    Jun 2003
    Location
    UK
    Posts
    6,601
    We have this problem and if you take that a majority of people want their problem fixed. We do offer https access to the ticket system but generally replying to email is quicker. As beowulfdk for most customers what alternative is there?


    Rus
    Russ Foster - Industry Curmudgeon

  4. #4
    Join Date
    Jul 2003
    Location
    Texas
    Posts
    785
    Create a standard SSH Shell wheel account for the techs to login with and then place the 'su' password in a text file in their home directory to use to 'su' to root. You will not be sending your password off your server or allowing them to store your root password in an internal database (who knows how strong the security is on that server?). Another option is for you to setup the standard shell user and create a sudo users entry for them to use.

  5. #5
    Join Date
    Jun 2003
    Location
    UK
    Posts
    6,601
    Actually why not just generate an SSH root key...

    Rus
    Russ Foster - Industry Curmudgeon

  6. #6
    Join Date
    Jun 2002
    Posts
    362
    its never really a good idea to store root passwords anywhere on the server, its just an unnecessary risk. IMo the best way to do it is have a secure https enviroment (such as a SSL cert for a helpdesk) which allows the storing on clients rootpass inside their helpdesk information. Not entirely foolproof, but better than some ideas that have been suggested

  7. #7
    Join Date
    Feb 2003
    Location
    Kuala Lumpur, Malaysia
    Posts
    4,974
    Originally posted by LTADMIN
    Create a standard SSH Shell wheel account for the techs to login with and then place the 'su' password in a text file in their home directory to use to 'su' to root. You will not be sending your password off your server or allowing them to store your root password in an internal database (who knows how strong the security is on that server?). Another option is for you to setup the standard shell user and create a sudo users entry for them to use.
    We used to do that but its a hassle Would prefer logging into root directly.

  8. #8
    Join Date
    May 2003
    Posts
    1,664
    We use a ticketing system to help deal with this. Also, there are notes sections in the customers billing setups where they can specify information they want us to know that is more secure. I agree that root passwords over email are not the safest way to send. If that is the case though you can do it then change the password as soon as they are out of the server.

  9. #9
    Greetings:

    On those occasions where we don't have access, we ask for the client to FAX us such information.

    When a FAX will not do then there are various ways to secure the information:

    secure email over digital ID (this is not the same as filling out a https page as the server may use regular email to transmit the information).

    Spilitting up the information over several emails.

    Putting the information in a password protected Word or Excel document. Sending the password for the document and the document separately.

    Telephone.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  10. #10
    The telephone is probably the quickest way, with a reasonable amount of security.

    Rule of thumb, I would only distribute a root password with any of the same methods that I would disclose my Credit Card number.

  11. #11
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •