Mailing List Archive

Password handling of a system with many administrators
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

I've been wondering what would be the best way to handle passwords of a
system (one or more computers) which is administrated by a team of
administrators.

If were talking about a system with more than one machine, would you
choose different passwords for each machine or one for all of them?

Should passwords be stored somewhere readable by all admins? If so,
where? A computer? A peace of paper? Digital format?

Storing passwords somewhere is problematic if that place gets
compromised but if you have lots of passwords, it may be difficult for
every administrator to remember them all.

How about the choice of passwords? Good password even if hard to
remember or a not so good password but one that every admin would not
forget?


Thanks.


- --
Rui Covelo
http://ruicovelo.2ya.com







-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCLMw6fLPhlaxNQk0RAq9JAJ9116xCxFpNv3GyJ61UJvtj/3vt7ACfZ3Yw
n79kQN2G+DeRTxxK2TnaejI=
=d4yh
-----END PGP SIGNATURE-----

--
gentoo-security@gentoo.org mailing list
Re: Password handling of a system with many administrators [ In reply to ]
Hello.

On Monday, March 7, 2005 22:48, Rui Covelo wrote:
> How about the choice of passwords? Good password even if hard to
> remember or a not so good password but one that every admin would not
> forget?

IMO, you should avoid passwords wherever possible. Use SSH-keys and
SSL-client-certs instead. :)
Every admin should use his own key (with his own password) to log into
the root-account, so he can decide whether the key is safe (no need for
a really strong password) or not.

If you talk about situations where passwords are needed (e.g.
DB-server), create one via makepasswd --chars=10 and store it into an
(possibly encrypted?) file in root's homedir. So no admin needs to
remember it, he just can look it up there.
This can also be used to change passwords automatically via cron.

cu, Bernd

--
In theory, theory and practice are the same.
In practice, they are different. - Larry McVoy
Re: Password handling of a system with many administrators [ In reply to ]
On Monday 07 March 2005 03:48 pm, Rui Covelo wrote:
> Hi!
>
> I've been wondering what would be the best way to handle passwords of a
> system (one or more computers) which is administrated by a team of
> administrators.

There are many ways to do this, but I prefer to use sudo (modify the sudoers
file).

sudo allows you to segment what each administrator has control over, and use
their own password to authenticate before the change. It also creates a good
log of what has been done and by whom.

> If were talking about a system with more than one machine, would you
> choose different passwords for each machine or one for all of them?

I prefer to use ssh with key-based authentication. I keep my private keys
only on my laptop, and have an authorized_keys file on each machine that I
need to log into.

> Should passwords be stored somewhere readable by all admins? If so,
> where? A computer? A peace of paper? Digital format?

See above. Use public/private ssh keys for login, and sudo (with each
administrator authenticating using their own password(s) for actually donig
administrative tasks.

> Storing passwords somewhere is problematic if that place gets
> compromised but if you have lots of passwords, it may be difficult for
> every administrator to remember them all.

ssh keys take care of most of this.

> How about the choice of passwords? Good password even if hard to
> remember or a not so good password but one that every admin would not
> forget?

Each administrator should choose their own passwords. Use a version of the
passwd program that enforces strong password rules.

Regards,

- Brian

--
gentoo-security@gentoo.org mailing list
Re: Password handling of a system with many administrators [ In reply to ]
Rui Covelo <rpfc@mega.ist.utl.pt> wrote:
> How about the choice of passwords? Good password even if hard to
> remember or a not so good password but one that every admin would not
> forget?

Try Diceware (www.diceware.com). With it you can get long passphrases
that are easy to remember.
Re: Password handling of a system with many administrators [ In reply to ]
This might sound harsh..
but part of a security policy is not to disclose any information about
how you manage, keep, generate and destroy sensitive information has
passwords.

Normaly, each company, has a "culture" about that.

solutions vary from:
- physical location of teammates.. do the use the same office? same
building? different countries?

Because of what I said above.. I cannot say much more...




On Mon, 07 Mar 2005 21:48:45 +0000, Rui Covelo <rpfc@mega.ist.utl.pt> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi!
>
> I've been wondering what would be the best way to handle passwords of a
> system (one or more computers) which is administrated by a team of
> administrators.
>
> If were talking about a system with more than one machine, would you
> choose different passwords for each machine or one for all of them?
>
> Should passwords be stored somewhere readable by all admins? If so,
> where? A computer? A peace of paper? Digital format?
>
> Storing passwords somewhere is problematic if that place gets
> compromised but if you have lots of passwords, it may be difficult for
> every administrator to remember them all.
>
> How about the choice of passwords? Good password even if hard to
> remember or a not so good password but one that every admin would not
> forget?
>
> Thanks.
>
> - --
> Rui Covelo
> http://ruicovelo.2ya.com
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFCLMw6fLPhlaxNQk0RAq9JAJ9116xCxFpNv3GyJ61UJvtj/3vt7ACfZ3Yw
> n79kQN2G+DeRTxxK2TnaejI=
> =d4yh
> -----END PGP SIGNATURE-----
>
> --
> gentoo-security@gentoo.org mailing list
>
>


--
Miguel Sousa Filipe

--
gentoo-security@gentoo.org mailing list
Re: Password handling of a system with many administrators [ In reply to ]
p.s.: this is a good example of security through obscurity....


On Tue, 8 Mar 2005 00:31:39 +0000, Miguel Filipe
<miguel.filipe@gmail.com> wrote:
> This might sound harsh..
> but part of a security policy is not to disclose any information about
> how you manage, keep, generate and destroy sensitive information has
> passwords.
>
> Normaly, each company, has a "culture" about that.
>
> solutions vary from:
> - physical location of teammates.. do the use the same office? same
> building? different countries?
>
> Because of what I said above.. I cannot say much more...
>
>
> On Mon, 07 Mar 2005 21:48:45 +0000, Rui Covelo <rpfc@mega.ist.utl.pt> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi!
> >
> > I've been wondering what would be the best way to handle passwords of a
> > system (one or more computers) which is administrated by a team of
> > administrators.
> >
> > If were talking about a system with more than one machine, would you
> > choose different passwords for each machine or one for all of them?
> >
> > Should passwords be stored somewhere readable by all admins? If so,
> > where? A computer? A peace of paper? Digital format?
> >
> > Storing passwords somewhere is problematic if that place gets
> > compromised but if you have lots of passwords, it may be difficult for
> > every administrator to remember them all.
> >
> > How about the choice of passwords? Good password even if hard to
> > remember or a not so good password but one that every admin would not
> > forget?
> >
> > Thanks.
> >
> > - --
> > Rui Covelo
> > http://ruicovelo.2ya.com
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.6 (GNU/Linux)
> > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> >
> > iD8DBQFCLMw6fLPhlaxNQk0RAq9JAJ9116xCxFpNv3GyJ61UJvtj/3vt7ACfZ3Yw
> > n79kQN2G+DeRTxxK2TnaejI=
> > =d4yh
> > -----END PGP SIGNATURE-----
> >
> > --
> > gentoo-security@gentoo.org mailing list
> >
> >
>
> --
> Miguel Sousa Filipe
>


--
Miguel Sousa Filipe

--
gentoo-security@gentoo.org mailing list
Re: Password handling of a system with many administrators [ In reply to ]
Miguel Filipe wrote:
> This might sound harsh..
> but part of a security policy is not to disclose any information about
> how you manage, keep, generate and destroy sensitive information has
> passwords.
>
> Normaly, each company, has a "culture" about that.

Usualy, it's not about a "culture". Is something that noone as the time
or motivation to think about it and *change it* to something better.


>
> solutions vary from:
> - physical location of teammates.. do the use the same office? same
> building? different countries?
>
> Because of what I said above.. I cannot say much more...
>

I'm not asking how you do it at work. I'm asking how you think it should
be done.



--
Rui Covelo
http://ruicovelo.2ya.com








--
gentoo-security@gentoo.org mailing list
Re: Password handling of a system with many administrators [ In reply to ]
On Mon, Mar 07, 2005 at 09:48:45PM +0000, Rui Covelo wrote:
>
> If were talking about a system with more than one machine, would you
> choose different passwords for each machine or one for all of them?
I always reccomend and use seperate passwords for each machine - pain in
the ass though it is. Reason should be fairly obvious: if one machine
gets compromised then the entire network isn't compromised - at least
not right off the bat.

> Should passwords be stored somewhere readable by all admins? If so,
> where? A computer? A peace of paper? Digital format?
NO! There is no need for anyone to know anyone else's password ever.
I.E. su, sudo, wheel, etc.

> How about the choice of passwords? Good password even if hard to
> remember or a not so good password but one that every admin would not
> forget?
Good Question! I keep mine on a piece of paper until memorized then
burn it - usually later that day.
Because of this problem, however, and the problem of passwords in
general I am debating the switch over to keychain + password
authentications only that way actual password strength is not as much of
an issue allowing easier to remember passwords since password only
authentications would be silently denied. RSA/DSA seems more reliable
and is certainly harder to crack than many other solutions, while easily
secured on a usb thumb drive. I've started playing with this on one of
my systems and it seems to be working well so far - I do however want to
see it more widely accepted and tested before implementing it entirely
on one or more of my networks. There are still issues with central
authentication (think of the horrors of NIS) and cross platform issues.
Logging in from a compromised M$ box would be bad, and I am not sure
that there is such a thing as a non-compromised M$ box. Also I could
see some difficulty with OS X. Unfortunately for me most of the
networks I manage are rather mixed with usually only servers and a few
workstations being linux based.

Very good questions - but ones that seem to have no perfect solution -
when in doubt, however, I have learned to err on the side of security at
a slight loss of user friendliness.

MFP



--
gentoo-security@gentoo.org mailing list
Re: Password handling of a system with many administrators [ In reply to ]
On Monday 07 March 2005 06:33 pm, Miguel Filipe wrote:
> p.s.: this is a good example of security through obscurity....

And 'shared secrets', while useful, are less secure overall than a policy
which does not require them to be effective.

Security through obscurity will give you more time to react as an attacker
probes your security perimiter and policies. Hopefully you'll have enough
time to notice and shut them out.

Regards,

- Brian

--
gentoo-security@gentoo.org mailing list
Re: Password handling of a system with many administrators [ In reply to ]
Am Dienstag, 8. März 2005 14:05 schrieb Brian G. Peterson:
> Security through obscurity will give you more time to react as an attacker
> probes your security perimiter and policies. Hopefully you'll have enough
> time to notice and shut them out.

That's too true! And one point could probably be to have the user name "root"
mapped to a UID != 0 while UID == 0 has a different name (same applies for
group names). This should work, because every login has to check user NAMEs
and passwords, but software has to use UIDs.

But - try it out - Gentoo isn't able to handle this properly, at least last
time I tried to harden my dialin box this way (~3 months before).

However, this could have had a bit potential for at least kicking off a few
script kiddies, because becoming a system administrator from outside would at
least need to know something about the name-ID -mapping of the system...

regards!
Eckard

--
gentoo-security@gentoo.org mailing list
Re: Password handling of a system with many administrators [ In reply to ]
On Mon, 2005-03-07 at 23:06 +0100, Bernd Wurst wrote:
> Hello.
>
> On Monday, March 7, 2005 22:48, Rui Covelo wrote:
> > How about the choice of passwords? Good password even if hard to
> > remember or a not so good password but one that every admin would not
> > forget?
>
> IMO, you should avoid passwords wherever possible. Use SSH-keys and
> SSL-client-certs instead. :)
> Every admin should use his own key (with his own password) to log into
> the root-account, so he can decide whether the key is safe (no need for
> a really strong password) or not.

Speaking of this, and not directly related to ssh, Is there a way to
have authentication done locally via public keys when su'ing to another
user? ie: I'd like to be able to eliminate the need for a root password
completely and have each administrator's key be the authentication
mechanism.


--
gentoo-security@gentoo.org mailing list
Re: Password handling of a system with many administrators [ In reply to ]
On 8 Mar 2005, at 17:04, comsatcat wrote:
> Speaking of this, and not directly related to ssh, Is there a way to
> have authentication done locally via public keys when su'ing to another
> user? ie: I'd like to be able to eliminate the need for a root
> password
> completely and have each administrator's key be the authentication
> mechanism.

You should define one anyway, in case somebody would like to access the
machine locally.

Regards,
Philipp Kern
Re: Password handling of a system with many administrators [ In reply to ]
Hi.

Am Tuesday, 8. March 2005 17:04 schrieb comsatcat:
> Speaking of this, and not directly related to ssh, Is there a way to
> have authentication done locally via public keys when su'ing to
> another user? ie: I'd like to be able to eliminate the need for a
> root password completely and have each administrator's key be the
> authentication mechanism.

This should be possible via PAM in some way (I don't know much about
that).

But why su'ing, wenn you can just "ssh ::1" to get root?

cu, Bernd

--
Only one book has been printed in more copies than The Bible...
...the IKEA catalogue - Song "Facts of Life" by "Lazyboy"
Re: Password handling of a system with many administrators [ In reply to ]
On Tuesday 08 March 2005 17:04, comsatcat wrote:
> On Mon, 2005-03-07 at 23:06 +0100, Bernd Wurst wrote:
> > Hello.
> >
> > On Monday, March 7, 2005 22:48, Rui Covelo wrote:
> > > How about the choice of passwords? Good password even if hard to
> > > remember or a not so good password but one that every admin would
> > > not forget?
> >
> > IMO, you should avoid passwords wherever possible. Use SSH-keys and
> > SSL-client-certs instead. :)
> > Every admin should use his own key (with his own password) to log
> > into the root-account, so he can decide whether the key is safe (no
> > need for a really strong password) or not.
>
> Speaking of this, and not directly related to ssh, Is there a way to
> have authentication done locally via public keys when su'ing to another
> user? ie: I'd like to be able to eliminate the need for a root
> password completely and have each administrator's key be the
> authentication mechanism.

You can use sudo for this and allow adminstrators to execute bash as root
with their own password. I've got practice with this scheme and it works
well.

Paul

--
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net
Re: Password handling of a system with many administrators [ In reply to ]
Paul de Vrieze <pauldv@gentoo.org> wrote:
> > Speaking of this, and not directly related to ssh, Is there a way to
> > have authentication done locally via public keys when su'ing to another
> > user? ie: I'd like to be able to eliminate the need for a root
> > password completely and have each administrator's key be the
> > authentication mechanism.
>
> You can use sudo for this and allow adminstrators to execute bash as root
> with their own password. I've got practice with this scheme and it works
> well.

With sudo, you are making it so password sniffing sufficient to gain
ordinary user access is also sufficient to give root access. I think
the password for sudo access should be a distinct passphrase used only
for that. This the main reason I quit using sudo.




--
Barry.Schwartz@chemoelectric.org http://www.chemoelectric.org
"Even if they say lofty things like `democracy' or whatever
it is they say, they don't mean it." -- David Durenberger,
former Republican U. S. senator, on today's "Republicans"
Re: Password handling of a system with many administrators [ In reply to ]
On Friday 11 March 2005 11:02 am, Barry.Schwartz@chemoelectric.org wrote:
> With sudo, you are making it so password sniffing sufficient to gain
> ordinary user access is also sufficient to give root access.  I think
> the password for sudo access should be a distinct passphrase used only
> for that.  This the main reason I quit using sudo.

Password sniffing how?

I only allow SSH connections using keys to my servers, which invalidates all
'over the network' password sniffers that I'm aware of. Basically, I can't
imagine why anyone would use telnet anymore, given that it is completely
insecure over the network. If an attacker could insert a kernel keystoke
sniffer, they already have root access...

Please elaborate... I must be missing something.

Regards,

- Brian

--
gentoo-security@gentoo.org mailing list
Re: Password handling of a system with many administrators [ In reply to ]
Am Friday, 11. March 2005 18:27 schrieb Brian G. Peterson:
> I only allow SSH connections using keys to my servers, which
> invalidates all 'over the network' password sniffers that I'm aware
> of.

Not everyone can disable ssh-password-logins. We just shocked our users
by not providing FTP, ssh-key only would be too complicated. And
imagine you (the admin) must do something on the server when you are
not on your computer... root-login, yes, that should not be done with
password.

Additionally, not only "network sniffers" are able to get a password.
Think of social hacking or keylogger on a remote computer when you try
to log into your box (if you are not on your machine and have to do
something important on the server).
When I look at me, I often log into my user account from untrustable
computers, I have to. So if I would use sudo, the administrator of that
untrusted box can get root on my server. Not good.

cu, Bernd

--
The hardness of the butter is proportional to the softness of the bread.
Re: Password handling of a system with many administrators [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bernd Wurst wrote:

| Not everyone can disable ssh-password-logins. We just shocked our users
| by not providing FTP, ssh-key only would be too complicated. And
| imagine you (the admin) must do something on the server when you are
| not on your computer... root-login, yes, that should not be done with
| password.

The users who can sudo to root, should be educated enough not to use
telnet. Or else, they arent qualified to be sysadmins. :P


|
| Additionally, not only "network sniffers" are able to get a password.
| Think of social hacking or keylogger on a remote computer when you try
| to log into your box (if you are not on your machine and have to do
| something important on the server).
| When I look at me, I often log into my user account from untrustable
| computers, I have to. So if I would use sudo, the administrator of that
| untrusted box can get root on my server. Not good.

I agree with that ;)


- --
Rui Covelo
http://ruicovelo.2ya.com







-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCMjBjfLPhlaxNQk0RAvU2AJ9x6mKLh61ISq5lMS7noUIXxbl/eACePY+j
PFkPa7Ng7QxG0ia//Jbszhw=
=AOt8
-----END PGP SIGNATURE-----

--
gentoo-security@gentoo.org mailing list
Re: Password handling of a system with many administrators [ In reply to ]
"Brian G. Peterson" <brian@braverock.com> wrote:
> On Friday 11 March 2005 11:02 am, Barry.Schwartz@chemoelectric.org wrote:
> > With sudo, you are making it so password sniffing sufficient to gain
> > ordinary user access is also sufficient to give root access. ?I think
> > the password for sudo access should be a distinct passphrase used only
> > for that. ?This the main reason I quit using sudo.
>
> Password sniffing how?

I just mean it is easy to lose a personal password that's used all the
time, even if it's by someone looking over a shoulder.

> I only allow SSH connections using keys to my servers, which invalidates all
> 'over the network' password sniffers that I'm aware of. Basically, I can't
> imagine why anyone would use telnet anymore, given that it is completely
> insecure over the network.

There has been TLS and X.509 support for telnet for years, and its X
forwarding always seemed to me more efficient, somehow, than
openssh's. It's just that nobody ever knew about telnet-tls, and it
isn't as easy to set up or as Unix-friendly. Columbia Kermit is a
telnet-tls client, although it also supports tunneling through an ssh
client. Stanford SRP (Secure Remote Passwords) is based on telnet-tls
but has patent problems of some sort, which have hindered its
adoption.

If you want to be secure with ssh you might want to sign the keys with
a revocable X.509 certificate, because otherwise I'm not sure if there
is any way to revoke a compromised key. I've never tried that myself,
and I'm not sure about the details of making it work. It's a security
issue discussed in the Kermit Security Reference.

That's all I know. :)


--
Barry.Schwartz@chemoelectric.org http://www.chemoelectric.org
"Even if they say lofty things like `democracy' or whatever
it is they say, they don't mean it." -- David Durenberger,
former Republican U. S. senator, on today's "Republicans"
Re: Password handling of a system with many administrators [ In reply to ]
Hi.

Am Saturday, 12. March 2005 00:57 schrieb Rui Covelo:
> | Not everyone can disable ssh-password-logins. We just shocked our
> | users by not providing FTP, ssh-key only would be too complicated.
> | And imagine you (the admin) must do something on the server when
> | you are not on your computer... root-login, yes, that should not be
> | done with password.
> The users who can sudo to root, should be educated enough not to use
> telnet. Or else, they arent qualified to be sysadmins. :P

When exactly did I write *anything* about telnet?

I don't know if you know that, but there is anything between
ssh-key-login and telnet-"publish my password to the world"-Login. :-)

SSH also supports password-logins. That's what I'm talking about.

The strongest network encryption cannot help you when you type the
password on a system that has any untrustable administrator. Do you
really just log into your user accounts from computers that are fully
under your control?

cu, Bernd

--
Drinking won't solve your problems.
But it will bring you lots of interesting new ones.
Re: Password handling of a system with many administrators [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


|
| When exactly did I write *anything* about telnet?

Whatever... Brian wrote about telnet and ssh-keys. You wrote ssh-keys
would be too complicated. I mixed the statements together.

Anyhow... you wont shock sysadmins by allowing them only to login with
keys (or <insert any other method here>) to their user accounts because
they should already know better.

About sysadmins logging in to their user accounts from public/unthrusted
computers, I already agreed that can be a problem *IF* they really must
use their user accounts from unthrusted computers and *IF* those users
accounts are the same accounts that gives them the ability to sudo.
Anyway, they should not login to root from unthrusted computers. I never do.



- --
Rui Covelo
http://ruicovelo.2ya.com







-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCMslxfLPhlaxNQk0RAqz9AJ49MhZAAs3jJ6lROoyhV44kyc4QawCeJIIq
X4uNJQ6gXjk62lfK4fdYFz0=
=Uktv
-----END PGP SIGNATURE-----

--
gentoo-security@gentoo.org mailing list
Re: Password handling of a system with many administrators [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bernd Wurst wrote :

| Hi.
|
| You answered off-list, was this your aim?
|
|
| Am Saturday, 12. March 2005 11:42 schrieb Christophe Garault:
|
|> | When I look at me, I often log into my user account from |
|> untrustable computers, I have to. Why not use an OTP? emerge skey
|> will do it for you. Have a generator on your handeld device (even
|> your cell phone if it's java capable) and that's it. Now you can
|> log to your machines from wherever you want even to root account
|> without fearing sniffing or anything else.
|
|
| Good idea, I just thought about something like that but for the
| moment, I don't have such a mobily device. :)
|
| But true, this is a good and secure strategy.
|
| cu, Bernd

No Bernd my primary intention was to write to the list. But when the
hangover strikes.. ;-)

- --
Christophe Garault
Take your marks:
Gen too three: Emerge!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCMtaqJ5Nh3YMYAQsRAtwkAJsGsA7Gh5Rd0GVGy244NR27TvGr8ACdGOWR
NrohORwyEkuDjO4vQARK9Us=
=pAe1
-----END PGP SIGNATURE-----


--
gentoo-security@gentoo.org mailing list
Re: Password handling of a system with many administrators [ In reply to ]
On Saturday 12 March 2005 12:05 am, Bernd Wurst wrote:
> The strongest network encryption cannot help you when you type the
> password on a system that has any untrustable administrator. Do you
> really just log into your user accounts from computers that are fully
> under your control?


Yes, you are correct.
Logging in from an untrusted machine puts you at risk of password discovery.

For logins from untrusted hosts, I use hardware tokens or S/KEY passwords via
accounts set up for that authentication method. Most of the time, when I
need to login remotely, I'm doing it from my laptop on an untrusted
*network*, which is why I verify the host key of my server and use SSH. Many
of my employees work remotely, and they connect to our hosts by first using
key-based authentication to our VPN from their laptops.

(Before anybody asks, all our laptops are running Gentoo, and are being used
by security-concious developers ;)

Take a look at token-based or S/KEY based authentication. This can also be
used for sudo (via PAM). It would solve the problem for your administrators,
no matter where they are logging in from.

Regards,

- Brian

--
gentoo-security@gentoo.org mailing list
Re: Password handling of a system with many administrators [ In reply to ]
On Friday 11 March 2005 18:02, Barry.Schwartz@chemoelectric.org wrote:
>
> With sudo, you are making it so password sniffing sufficient to gain
> ordinary user access is also sufficient to give root access. I think
> the password for sudo access should be a distinct passphrase used only
> for that. This the main reason I quit using sudo.

As far as I know, sudo uses pam for authentication. You could configure
the pam service for sudo to use different passwords than the login
passwords.

Paul

--
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net
Re: Password handling of a system with many administrators [ In reply to ]
On Thursday 17 March 2005 06:49 am, Paul de Vrieze wrote:
> As far as I know, sudo uses pam for authentication. You could configure
> the pam service for sudo to use different passwords than the login
> passwords.

sudo *can* use pam (and does in the default Gentoo setup with USE=pam), but it
doesnt require it
-mike
--
gentoo-security@gentoo.org mailing list