[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

changes to the use of sudo on project machines

[please follow up to -project or -admin or just me, depending on what
 seems more appropriate.]


if you use sudo on project machines this will affect you.

The short version:

If you want to use sudo in the future, go to http://db.debian.org/ and set a
sudo password for you.

A slightly longer version:

We are trying to limit the exposure of login and ldap passwords on project
machines.  Currently everybody who is using sudo on a project machine has
to use their login and ldap password, which in case of a compromise can be
used to access other machines and change the user's settings in ldap.

Since sudo uses the pam library to authenticate users, we can make use of a
dedicated passwords file using libpam-pwdfile for authentication to sudo.

Userdir-ldap (http://db.debian.org) has been modified to allow users to set a
(per host if desired) password for their use of sudo. After setting a new sudo
password on the web interface this change has to be confirmed by sending a
signed mail - the web interface should instruct you accordingly. This
confirmation is intended to prevent an attacker who has learned a login/ldap
password to elevate this to sudo-access.

We are slowly updating the machines to use the new config.  Please see
https://dsawiki.debian.org/dsawiki/New-Sudo for per machine progress


[is there a list that all buildd admins are on?]
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

Reply to: