Michael MacIsaac wrote:
Marcy,
Same rule here.... (if only some of these vendors (cough ibm/tivoli
cough) would comprehend... )
I'm trying to comprehend, and will also try to bubble the message upwards
in my small sphere of influence.
So let me ask this to the list - what are the rules regarding key-based
authentication? Is this approach not authorized even though no root (or
any other) passwords goes over the wire? Or is it just the rule that the
/root/.ssh/authorized_keys file never exist?
If there is no key-based authentication for root allowed, can there be for
non-root users (not sure how much this will help).
Auditors like to think they know who did things. If I connect to your
system using ssh, how do you know it's me? All you know is that someone
connected using a public key you've approved.
One thing I'm looking for is a way that a central Linux system can pull
important data (/etc/fstab /etc/zipl.conf,
/etc/sysconfig/network/ifcfg-qeth-*), and run certain commands remotely on
other Linux systems without the need for someone sitting typing a password
many times.
Most of that stuff is (generally) available to all - the only exceptions
I can think of are secrets such as wireless keys. sshd might have
secrets too.
Systems management tasks need to be automated to scale the number of
servers a single admin can care for, but security rules in certain shops
seem to be preventing that. There must be some intelligent compromise
(and it's probably involves sudo)
_I_ don't think sudo is as bullet-proof as people think. Certainly, it
needs care to set up to control everything and I've never tried to do that.
Three quick examples.
I can run anything. That meas I can run a shell directly, and so avoid
most of sudo's logging. Sure, you can ask me later, but if I was
deliberately doing something bad I also sanitised logs.
I can't do much, but I can create new user accounts. I create a new
account with uid=0. Now I can do anything I like, and the logs won't
help you either.
I can install software. I can install some backdoor, maybe unpackaged so
rpm doesn't report it.
I'm sure selinux can help here.
Thanks.
"Mike MacIsaac" <[email protected]> (845) 433-7061
Oh, decades again, on OS user programs could use WTO to write messages
on the operator console(s). Eventually, someone worked out that
unauthorised (we're talking APF here) should not be able to write
messages indistinguishable from system messages (maybe using WTOR to get
passwords), and from then those messages were prefixed by a plus.
On Linux, writing to syslog a few messages alleging you, Mike MacIsaac,
used the command "/sbin/fdasd /dev/dasda" might cause you some
employment difficulties and/or cause you to disbelieve other messages.
--
Cheers
John
-- spambait
[email protected] [email protected]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
