gabriel rosenkoetter on Mon, 1 Jul 2002 14:25:11 -0400


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] log as root or not ?


On Mon, Jul 01, 2002 at 02:08:03PM -0400, Fred K Ollinger wrote:
> My $.02 says that what gabriel wants if for people to login remotely as
> root then immediately su to user then exit back to root to do those few
> steps where you reallyneed to be root?

What purpose could that possibly serve?

I want them to login as themselves (using PKI, of course) most of
the time and login as root (using a different key, ideally, one
whose physical security is kept higher) when it's necessary to do
things as root.

Each user with root access would have their own key, so actions
taken by different people are easily logged (sshd records what key ID
was used for login if you tell it to, in addition to the source IP
address) with the aid of acctlog. This is *better* than a sulog, as
who knows how easily a given user account could be compromised, but
(in theory) only your real users have access to their own private
keys. It also lets you allow and disallow access to the root account
granularly without ever telling anyone the root password (which
makes it very easy to remove a laid off employee's access without
hustling around and changing a lot of passwords: he never had any to
begin with).

Though the user key could be left in an xlocked terminal when one
leaves for the day, the root-access key should not be. (It should
be, as I said, kept on a floppy that stays on your person when
you're not at your terminal.)

There are threat models under which this would be an insecure
system, but I really doubt you'd encounter them in most corporate
environments and certainly not on your home Linux machine.

-- 
gabriel rosenkoetter
gr@eclipsed.net

Attachment: pgpPlC07qINOR.pgp
Description: PGP signature