Rob van der Heij wrote:
On Thu, Jan 22, 2009 at 7:03 PM, Mark Post <[email protected]> wrote:
Second, as John Summerfield has pointed out, by default no indication of what
public/private key pair was used for authentication is logged. To get _that_
to happen, and to be able to correlate who signed in, then the default of
LogLevel INFO needs to be changed to LogLevel VERBOSE. Once that is done, you
get syslog entries such as
True. We actually made a modification to sshd to display the comments
field from the key that was matched. But as I pointed out earlier in
this thread, we avoided using the root account entirely (except for
extreme emergencies).
But this approach still has most of the problems of shared userids.
When two people have both logged in as root with their own cryptic key
pair, you will be mostly puzzled which of them did the things that
turned out to be a problem (because the PID of the shell is not part
of most auditing).
With sudo you get the privileged commands in the system logging and it
is much easier to understand what happened and who is to blame.
As I've pointed out before, unless you're really careful it's easily
circumvented, and sometimes allowing someone to do one thing (eg manage
linux user accounts) may allow them more privilege than they should have
(eg create a privileged account and misuse it).
--
Cheers
John
-- spambait
[email protected] [email protected]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
