[ale] SSH attempts
Jim Kinney
jim.kinney at gmail.com
Fri Sep 16 13:55:53 EDT 2011
But if you lock the root account you're hosed in emergency run level 1.
Instead set securetty to only be local console and use sudo for all else.
On Sep 16, 2011 1:47 PM, "Michael B. Trausch" <mike at trausch.us> wrote:
> On Mon, 2011-09-12 at 17:40 -0400, Bob Toxen wrote:
>> Disabling root ssh and requiring one first to ssh in through another
>> account and su'ing or sudo'ing to root is not as effective as the
>> above solutions and may diminish security, in my opinion.
>
> Okay, so I can understand why that would be the case for giving accounts
> access to su (but if you're doing that, then you haven't locked the
> password for the root user anyway), but sudo is a totally different
> animal.
>
> What I do on all my systems these days is this:
>
> * I run "passwd -l root", so that root cannot login by any means
> (because its password is locked).
>
> * I create a group for full system administrators (that is, people
> that can run "sudo -i" or "sudo -s" to the root user account).
>
> * If the system has subadministrators, I configure sudo for that.
> For example, on a system that runs a phone system (say, FreeSWITCH),
> the phone system runs as a certain user. I'll create a group for
> people who are allowed to become that user, and then configure sudo
> to enable people to change their uid to that user so that they can
> administer the phone system. Same goes for a Web administrator or
> DBA. Such people would, therefore, not allowed to become root
> (because they have no need to do so).
>
> * If there are people who have to run single commands as root, I will
> configure sudo to enable them to do so (as long as it's not a command
> that will spawn a subshell or something). All bets are off if it can
> spawn a subshell, of course, but as long as it is a well-behaved
> single-task program, it is usually fine.
>
> The sudo command can be used to create a very fine-grained system where
> people can only gain access to the privileges that they need in order to
> get their work done. It _can_ take a little bit to engineer an
> appropriate configuration, but once that's done, sudo takes care of the
> logging and all of that for you.
>
> There are even ways to make it possible to have fully functional system
> administrators that can do everything _except_ change the sudo
> configuration or certain items like system logs, though that is slightly
> outside of the scope of sudo itself.
>
> All that to say that proper use of sudo significantly enhances system
> security, not the opposite.
>
> --- Mike
>
> --
> A man who reasons deliberately, manages it better after studying Logic
> than he could before, if he is sincere about it and has common sense.
> --- Carveth Read, “Logic”
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110916/79cc38ef/attachment.html
More information about the Ale
mailing list