nanog mailing list archives
Re: Security Practices question
From: William Waites <ww () styx org>
Date: 03 Oct 2002 14:21:57 -0400
"Scott" == Scott Francis <darkuncle () darkuncle net> writes:
Scott> You don't _have_ logins directly to 4000 machines. You have Scott> a central admin host (or five) with user-level Scott> accounts. Those user-level accounts can 'sudo ssh <target>' Scott> to accomplish things as root on the remote boxes. umm... i think you have it backwards. better would be: the admins have logins on the remote machines, with no local password and rsa keys disabled. the remote machines trust the admin machines and do host based authentication. most admins may or may not have root on the admin machine. admins have normal user accounts on the admin box. sudo is set up on the remote ones. admin then does 'ssh foobar sudo blah' to accomplish something as root on the remote boxes without loggin in as directly as root. ever. (for a remote root shell, 'ssh -t foobar sudo su -' or similar) the main difference is it leaves an audit trail of who is doing what where as root -- with 4000 machines, you are doing remote logging, no? Scott> All of which can be handled with sudo, without giving away Scott> the keys to the castle. >> Sorry to ruffle your dogma. Scott> Not dogma, just best practice. since when does best practice entail logging in directly as root over the network? -- William Waites <ww () styx org> Idiosyntactix Research Laboratories http://www.irl.styx.org
Current thread:
- Re: Security Practices question, (continued)
- Re: Security Practices question just me (Oct 03)
- Message not available
- Re: Security Practices question Barb Dijker (Oct 03)
- Re: Security Practices question Jason Slagle (Oct 02)
- Re: Security Practices question Joel Baker (Oct 02)
- Re: Security Practices question Scott Walker (Oct 02)
- Re: Security Practices question Valdis . Kletnieks (Oct 03)
- Re: Security Practices question Scott Francis (Oct 03)
- Re: Security Practices question just me (Oct 03)
- Re: Security Practices question Scott Francis (Oct 03)
- Re: Security Practices question alex (Oct 03)
- Re: Security Practices question William Waites (Oct 03)
- Message not available
- Re: Security Practices question Barb Dijker (Oct 02)
- Message not available
- Re: Security Practices question Barb Dijker (Oct 03)