[H-GEN] passwords

Martin Pool mbp at linuxcare.com.au
Mon Jul 24 21:04:01 EDT 2000


On Mon, Jul 24, 2000 at 06:30:21PM +1000, Daniel Quinlan wrote:
> [ Humbug *General* list - semi-serious discussions about Humbug and ]
> [ Unix-related topics.  Please observe the list's charter.          ]
> 
> hi,
> 
>    thanks for all the input from everyone.  It's come down to this
> 
>    root access only at the console or via su
>    root password to follow a pattern based on the site
>    su access only to group members 
>    remote access only via ssh with RSA keys 
>    user accounts with login shells to have a secure password (read long and randomly generated)
> 
> 
>    which still leaves me with these issues:
> 

>    which group should I make su owned by?  I remember it being wheel on some
>    other *nix I've worked on but Debian doesn't appear to have wheel. I'm
>    going to email someone at Debian about this one.

I'd recommend that you install sudo instead.  It has a simple
configuration means to limit access per group, and it means admins
don't need to remember and type the root password all the time.  Also,
the timeout feature is very convenient.  It's in Debian.

You'll want a line in /etc/sudoers something like this:

%adm ALL=(ALL) ALL

which means people in the adm group can run any command as anybody
anywhere.

>    how to manage the RSA keys?
> 	   Give each tech their own key and copy all tech's keys to
> all servers

Yes, do this one.  It gives you better accountability, and it's easier
to revoke keys.

-- 
Martin Pool, Linuxcare, Inc.
+61 2 6262 8990
mbp at linuxcare.com, http://www.linuxcare.com/
Linuxcare. Support for the revolution.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.humbug.org.au/pipermail/general/attachments/20000725/9405410d/attachment.sig>


More information about the General mailing list