>>>>> On Thu, 6 Sep 2001 13:03:44 -0700 (PDT),
	Bill Studenmund <wrstuden@netbsd.org> said:

>> 5. Have had it legitimately at one point, but no longer have (or
>> never have had) an account on particular machines.
>> 
>> Certainly for situation #5, I could reel off a dozen circumstances where
>> this is currently the case. (I won't, for obvious reasons.)

> All the places I've been, when someone who had the root password leaves,
> we change the root password. I really don't understand why you wouldn't.

We don't change root password in that case.
In our configuration, only one administrator knows root password, and
every administrator uses his own password to get root privilege.
So, we don't have to change root password, unless the person who knows
the root password leaves.

This configuration has several merits.

1. This doesn't require shared root password.
  As everyone knows, shared password is insecure.

2. This redueces maintainace cost dramatically.

  Changing root password every time is expensive, if we have to do
  that every time when a user (who had root privilege) moves to
  different divison (but still has an account to support old project).

  Also, there is danger that root password may not be changed
  by mistake in your policy.

  And also, choosing good root password every time is really hard
  thing, especially because all administrators have to remember the
  password.

We don't enable PermitRootLogin, either, not only because we don't
need that, but also:

3. enabling root login harms version management of administrative
  files.

  On the enviroment where there are several administrators, version
  management is indispensable thing. If we permits root login,
  we can track who did a change via version management tools.
--
soda