| gabriel rosenkoetter on Mon, 1 Jul 2002 14:25:11 -0400 |
|
On Mon, Jul 01, 2002 at 02:08:03PM -0400, Fred K Ollinger wrote: > My $.02 says that what gabriel wants if for people to login remotely as > root then immediately su to user then exit back to root to do those few > steps where you reallyneed to be root? What purpose could that possibly serve? I want them to login as themselves (using PKI, of course) most of the time and login as root (using a different key, ideally, one whose physical security is kept higher) when it's necessary to do things as root. Each user with root access would have their own key, so actions taken by different people are easily logged (sshd records what key ID was used for login if you tell it to, in addition to the source IP address) with the aid of acctlog. This is *better* than a sulog, as who knows how easily a given user account could be compromised, but (in theory) only your real users have access to their own private keys. It also lets you allow and disallow access to the root account granularly without ever telling anyone the root password (which makes it very easy to remove a laid off employee's access without hustling around and changing a lot of passwords: he never had any to begin with). Though the user key could be left in an xlocked terminal when one leaves for the day, the root-access key should not be. (It should be, as I said, kept on a floppy that stays on your person when you're not at your terminal.) There are threat models under which this would be an insecure system, but I really doubt you'd encounter them in most corporate environments and certainly not on your home Linux machine. -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgpPlC07qINOR.pgp
|
|