On Wed, 02 Oct 2002 17:48:16 PDT, just me said:
In an situation where the team needs root; all per-admin UID 0
accounts add is accountability and personalized shells/environments.
Accountability is always good, but you can do even better with sudo (Sorry,
I couldn't resist).
As far as
On Wed, Oct 02, 2002 at 05:48:16PM -0700, [EMAIL PROTECTED] said:
On Wed, 2 Oct 2002, Scott Francis wrote:
Can you back up that statement in /any/ way? What exactly are your reasons
why sudo is a worse solution (or even a bad idea)?
In an environment where every sysadmin is
On Thu, 3 Oct 2002, Scott Francis wrote:
On Wed, Oct 02, 2002 at 05:48:16PM -0700, [EMAIL PROTECTED] said:
In an environment where every sysadmin is interchangable, and any one
of them can be woken up at 3am to fix the random problem of the day,
you tell me how to manage 'sudoers' on
On Thu, Oct 03, 2002 at 09:57:10AM -0700, [EMAIL PROTECTED] said:
On Thu, 3 Oct 2002, Scott Francis wrote:
On Wed, Oct 02, 2002 at 05:48:16PM -0700, [EMAIL PROTECTED] said:
In an environment where every sysadmin is interchangable, and any one
of them can be woken up at 3am to fix
You still haven't given me a single example of what these problems
are. Just hand-waving and talk about the right way is.
It is rather simple and had been addressed lots of times. I really fail to
understand why people do keep re-inventing the wheel.
Give your admins crypto cards. Make
Scott == Scott Francis [EMAIL PROTECTED] writes:
Scott You don't _have_ logins directly to 4000 machines. You have
Scott a central admin host (or five) with user-level
Scott accounts. Those user-level accounts can 'sudo ssh target'
Scott to accomplish things as
I was assuming a more complex configuration than the wide-open one
advocated by Barb, which seems to add little to no security benefit.
I'm sorry I wasn't clear on this point; of course pushing out a single
file to n machines shouldn't be a problem.
Of course. And a complex sudoers setup can
On Tue, Oct 01, 2002 at 02:43:41PM -0700, [EMAIL PROTECTED] said:
[snip]
I have question for the security community on NANOG.
What is your learned opinion of having host accounts
(unix machines) with UID/GID of 0:0
otherwords
jmbrown_r:password:0:0:John M.
On Wed, Oct 02, 2002 at 11:34:38AM -0700, [EMAIL PROTECTED] said:
[snip]
This is a really /really/ REALLY bad idea. I had nightmare issues dealing
with a network formerly run by a 'sysadmin' who thought every user that
might need to do something as root should have a uidzero account.
On Tue, Oct 01, 2002 at 02:43:41PM -0700, [EMAIL PROTECTED] said:
[snip]
On Mon, Sep 23, 2002 at 02:44:34PM -0700, Scott Francis wrote:
On Sun, Sep 22, 2002 at 03:22:11PM -0700, [EMAIL PROTECTED] said:
I have question for the security community on NANOG.
What is your learned
On Wed, Oct 02, 2002 at 04:06:00PM -0400, [EMAIL PROTECTED] said:
[ On Wednesday, October 2, 2002 at 11:47:12 (-0700), Scott Francis wrote: ]
Subject: Re: Security Practices question
Absolutely so - which is why no account should have multiple equally valid
passwords, which is what
On Wed, Oct 02, 2002 at 05:08:05PM -0400, [EMAIL PROTECTED] said:
[ On Wednesday, October 2, 2002 at 13:26:15 (-0700), Scott Francis wrote: ]
Subject: Re: Security Practices question
grr. Please read Barb's post about exactly why multiple aliases for the
UID 0 account is a Bad Idea. It's
On Wed, 2 Oct 2002, Scott Francis wrote:
Can you back up that statement in /any/ way? What exactly are your reasons
why sudo is a worse solution (or even a bad idea)?
In an environment where every sysadmin is interchangable, and any one
of them can be woken up at 3am to fix the random
jm Date: Wed, 2 Oct 2002 17:48:16 -0700 (PDT)
jm From: just me
jm In an environment where every sysadmin is interchangable, and
jm any one of them can be woken up at 3am to fix the random
jm problem of the day, you tell me how to manage 'sudoers' on
jm 4000 machines.
krb5/ksu
Eddy
--
On Wed, 2 Oct 2002, just me wrote:
In an environment where every sysadmin is interchangable, and any one
of them can be woken up at 3am to fix the random problem of the day,
you tell me how to manage 'sudoers' on 4000 machines.
In an situation where the team needs root; all per-admin UID 0
On Wed, Oct 02, 2002 at 05:48:16PM -0700, just me wrote:
On Wed, 2 Oct 2002, Scott Francis wrote:
Can you back up that statement in /any/ way? What exactly are your reasons
why sudo is a worse solution (or even a bad idea)?
In an environment where every sysadmin is interchangable,
At 05:48 PM 10/2/02 -0700, just me wrote:
In an environment where every sysadmin is interchangable, and any one
of them can be woken up at 3am to fix the random problem of the day,
you tell me how to manage 'sudoers' on 4000 machines.
Sudo provides for one master sudoers file that you can copy
could use scp also. Altho not as secure you'd need null keys.
But could also have the same issues with rdist.
Joel Baker wrote:
On Wed, Oct 02, 2002 at 05:48:16PM -0700, just me wrote:
On Wed, 2 Oct 2002, Scott Francis wrote:
Can you back up that statement in /any/ way? What exactly
eddy == E B Dreger [EMAIL PROTECTED] writes:
jm Date: Wed, 2 Oct 2002 17:48:16 -0700 (PDT)
jm From: just me
jm In an environment where every sysadmin is interchangable, and any
jm one of them can be woken up at 3am to fix the random problem of
jm the day, you tell me how to manage 'sudoers'
On Sun, Sep 22, 2002 at 03:22:11PM -0700, [EMAIL PROTECTED] said:
I have question for the security community on NANOG.
What is your learned opinion of having host accounts
(unix machines) with UID/GID of 0:0
otherwords
jmbrown_r:password:0:0:John M.
I have question for the security community on NANOG.
What is your learned opinion of having host accounts
(unix machines) with UID/GID of 0:0
otherwords
jmbrown_r:password:0:0:John M. Brown:/export/home/jmbrown:/bin/mysh
The argument is that way you don't hav to give out the root
On Sun, 22 Sep 2002, John M. Brown wrote:
What is your learned opinion of having host accounts
(unix machines) with UID/GID of 0:0
otherwords
jmbrown_r:password:0:0:John M. Brown:/export/home/jmbrown:/bin/mysh
The argument is that way you don't hav to give out the root password,
John M. Brown wrote:
I have question for the security community on NANOG.
I confess that I think of NANOG as not being a security community, rather
it is a group of north american network operators. That said, you can find
all sorts of info for the somewhat naive question below by a slightly
see below
On Sun, Sep 22, 2002 at 03:47:56PM -0700, Etaoin Shrdlu wrote:
John M. Brown wrote:
I have question for the security community on NANOG.
I confess that I think of NANOG as not being a security community, rather
it is a group of north american network operators. That said,
JMB Date: Sun, 22 Sep 2002 15:22:11 -0700
JMB From: John M. Brown
JMB jmbrown_r:password:0:0:John M. Brown:/export/home/jmbrown:/bin/mysh
Kerberos. ksu is a good thing.
Ignoring physical ttys on home machines, insecure is the way to
go on all ttys in /etc/ttys (BSD).
Eddy
--
Brotsman
25 matches
Mail list logo