[SLL] sharing superuser account is always bad policy, right?

Phil Mocek pmocek-sll at mocek.org
Fri Feb 6 10:22:15 PST 2009 

In response to my concerns over the security policies of a company
providing dedicated server hosting, on Fri, Feb 06, 2009 at
09:45:57AM +0800, Anand Vaidya wrote:
> Since you are the customer, why don't you demand that these poor
> practices are unacceptable (at any price) and force them to
> implement what other list members are recommending?

I'm teetering between the decision to do that and to take this
business elsewhere.

Someone from their tech support department followed up with an
apology for their request to have me send the root password via
e-mail and wrote:
>> None of the passwords that are listed in the control center are
>> stored in clear text. They are decrypted from our customer
>> database and displayed upon the users request only. And even when
>> the password is requested to be displayed, the user making the
>> request is challenged with a security question. Any page within
>> the control center is Encrypted through SSL. No end user can
>> access the control center without using SSL and no data between
>> the control center server and the end user is ever sent in clear
>> text. 
>> 
>> Typically the passwords are locked in the control center as
>> mentioned above, therefor requesting the information over insecure
>> methods is not needed or desired.
>> 
>> Indeed our datacenter associates have direct physical access to
>> the server, but simply feeling the server is not going to be the
>> best form of diagnostic to assist in correcting the issue.
>> Regarless if we find a problem with the ventilation or not, we
>> would want to be able to confirm with the server rather than
>> waiting on email to be tranfered, so that we can provide a prompt
>> and thorough resolution. 
>> 
>> It is not our practice to pass or share any password for any
>> customer regardless if they be a dedicated or shared customer. The
>> only reason an associate from CrystalTech would need to view your
>> password is if you have directly requested our services for
>> investigation into an issue such as this one. Even if there is an
>> issue with someone compromising your password from the web control
>> center, the control center tracks logins to the control center and
>> allows us to pin point who was loged in at the time. Your server
>> does the same function. If you notice when using SSH to get into
>> your server, after you successfully log in, the prompt tells you
>> when the last successful login was, and from what IP address if I
>> remember correctly. 
>> 
>> Also I notice that you have managed services with your server
>> which means that you've opted for us to login perodically to
>> assist you with the upkeep on your server. If that root password
>> is changed it restricts us from doing so. 
>> 
>> If you can please contact me via phone to supply the root user
>> password, I will have our datacenter associates begin reviewing
>> the server as soon as possible. If you don't wish to supply that
>> information I will still have them proceed looking at the server,
>> however this will slow down the resolution. 

-- 
Phil Mocek

More information about the linux-list mailing list