Re: shared root account

To: debian-security@lists.debian.org
Subject: Re: shared root account
From: Jason Healy <jhealy@logn.net>
Date: Tue, 10 Jul 2001 09:05:18 -0400
Message-id: <[🔎] 20010710090518.B9903@logn.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20010709232025.Q25056@riseup.net>
References: <[🔎] B76B3592.2110%robert@sciresearch.com> <[🔎] 20010706094355.A25712@micromuse.com> <[🔎] 20010706152456.M26109@plato.local.lan> <[🔎] 87hewpy26m.fsf@dyn006239.shef.ac.uk> <[🔎] 20010708152710.A19171@mp3revolution.net> <[🔎] 20010709080014.E25056@riseup.net> <[🔎] 20010709114100.A3319@logn.net> <[🔎] 20010709232025.Q25056@riseup.net>

At 994738826s since epoch (07/10/01 02:20:26 -0400 UTC), Micah Anderson wrote:
> These both seem like excellent practices, for the clueless in all of us -
> can someone describe how this is done for sudo? How do you configure PAM to
> require alternative passwords, which expire and age, and are decent
> passwords? And how does one reliably log sudo logs offsite?

Please take a large grain of salt before reading, I haven't done this
stuff in a while so I'm rusty on it.  I've included references to
where I've gotten the info so you can read more about it yourself.

One can log to a different host by putting @hostname in your
syslog.conf file.  I believe it looks like this:

(`man syslog.conf`)

auth,authpriv.*                 @log.myotherhost.com

(assuming you have sudo logging at level auth)

I know this may seem obvious, but make sure that this machine does not
share admin accounts with the machine you're logging from, or the
hacker will just break in and change the logs!

As for PAM fun, try the following:

apt-get install libpam-doc libpam-opie libpam-pwdfile

The first is docs, the second is OTP (one time passwords), and the
third is to authenticate against "passwd-like" files.  The idea with
the third is that you make another passwd file (/etc/sudo.passwd), put
all your sudoers in it.  Then, change /etc/pam.d/sudo to say:

auth required /lib/security/pam_pwdfile.so pwdfile /etc/sudo.passwd

(`less /usr/doc/libpam-pwdfile/README`)

Also, from that README:

==
   The ASCII password file is simply a list of lines, each looking like
   this:
   username:crypted_passwd[13] in the case of vanilla crypted passwords,
   username:crypted_passwd[34] in the case of MD5 crypted passwords.
==

To do OTP instead, read /usr/doc/libpam-opie/README.Debian.  A full
discussion of OTP and how to set it up and use it is beyond the scope
of this thread.  Perhaps another thread would be good for that if
people are interested.  There are merits to be debated, and a whole
other flamewar awaits that topic...  =)

Anyway, that's my first stab at it; others, please comment!  I'm not
sure if this is the best/right way to do it but I hope this gets
things going.

Jason

--
Jason Healy    |     jhealy@logn.net
LogN Systems   |   http://www.logn.net/

Reply to:

Follow-Ups:
- Re: shared root account
  - From: Ethan Benson <erbenson@alaska.net>
- Re: shared root account
  - From: Andres Salomon <dilinger@mp3revolution.net>

References:
- Re: shared root account
  - From: "Robert L. Yelvington" <robert@sciresearch.com>
- Re: shared root account
  - From: Nathan E Norman <nnorman@micromuse.com>
- Re: shared root account
  - From: Ethan Benson <erbenson@alaska.net>
- Re: shared root account
  - From: Eric E Moore <e.e.moore@shef.ac.uk>
- Re: shared root account
  - From: Andres Salomon <dilinger@mp3revolution.net>
- Re: shared root account
  - From: Micah Anderson <micah@riseup.net>
- Re: shared root account
  - From: Jason Healy <jhealy@logn.net>
- Re: shared root account
  - From: Micah Anderson <micah@riseup.net>

Prev by Date: nomail
Next by Date: Re: Attack alert from snort
Previous by thread: Re: shared root account
Next by thread: Re: shared root account
Index(es):
- Date
- Thread