Re: shared root account
As far as trusting their password choices, I'm not too worried about
password guessing attacks; if an admin gets a password past pam_cracklib.so
(without overriding it as root), I have doubts that someone's going to
guess the password. Admins using the same password for multiple accounts
is another problem entirely; I don't have an answer for this, unfortunately,
other than a) making it company policy to use different passwords on
different machines, or b) as others have suggested, using pam to use
one-time passwords or something.
As far as trusting admins with their actions, this is the same whether
or not you're using a shared root account, or sudo. If the admin is
ssh'ing in from home, on a compromised windows box, and using any type
of root function, the attacker now has the capability to do the same.
If you're worried about this sort of thing, again, policy is the
most effective technique. Set up a firewall (that the admins don't
have access to), so that admins may only ssh into high security boxes
while physically at work. If using windows, have workstations reinstalled
frequently, and disallow installation of third party software. Or even
better, don't use windows. ;) If using some form of unix, use
an internal company distro (modified popular distro w/ extra needed
software, perhaps logging of md5sums or logs to a central server).
I could list a million other things you can do, but basically just
ensure that admins are _probably_ originating from a secured machine.
At least w/ sudo, if a password gets out (and syslog is logging
somewhere besides localhst), you can see which account the breakin
originated from, and take appropriate action.
On Mon, Jul 09, 2001 at 08:00:14AM -0700, Micah Anderson wrote:
> Having said that we do it this way as well, I'll point out one flaw which
> particularly nags at me. Andreas said, "a) allowing convenience by allowing
> the user to effectively choose their own root passwd." which roughly
> equivicates to the difference between having one root password that can be
> cracked to get to the system, to having N+1 root passwords that can be
> cracked to get at the system (where N=number of admins with sudo access). At
> this point it is a toss up - is the convenience of not having to pass around
> the root password to all the admins worth the additional cracks? Do you
> trust each admin to be secure with both their password choices as well as
> the rest of their actions?
"... being a Linux user is sort of like living in a house inhabited
by a large family of carpenters and architects. Every morning when
you wake up, the house is a little different. Maybe there is a new
turret, or some walls have moved. Or perhaps someone has temporarily
removed the floor under your bed." - Unix for Dummies, 2nd Edition
-- found in the .sig of Rob Riggs, firstname.lastname@example.org