[TriLUG] Password Security

Ron Joffe rjoffe at yahoo.com
Mon Jul 23 19:18:26 EDT 2007


In addition to Linux logins we have a large number of other types of 
usernames/passwords to keep track of. This includes everything from oracle 
logons, vnc passwords, vpn tunnel authentication, Application passwrods, 
Windows domain logons, etc etc etc. We work in quite a complex multi 
application environment, and we have 10 completely separate clients to worry 
about.

The solution we are looking for can not be handled purely by sudo, PAM, etc. 
Although I appreciate the pointers, we are looking for a far wider solution 
for password management.

Thanks,

Ron



On Monday 23 July 2007 18:53, Andrew C. Oliver wrote:
> Linux authentication can take place with a series of stackable modules
> via PAM (http://www.kernel.org/pub/linux/libs/pam/modules.html).  There
> are all manner of modules that could authenticate against some internet
> accessible server (be careful to encrypt the stream, avoid DNS, etc).
> You could ask that customers maintain some pam module that uses your
> directory server (LDAP or otherwise) and your admins could just login
> using their normal username.  They could also be listed in Sudo
> http://en.wikipedia.org/wiki/Sudo so they could always become root.  In
> fact on Ubuntu, an ever popular linux distribution, you generally create
>   a user account and it has sudo access.  You generally don't actually
> ever type the root password.
>
> -Andy
>
> Ron Joffe wrote:
> > On Monday 23 July 2007 14:28, Andrew C. Oliver wrote:
> >>> Now what do you do when you have to keep a list of passwords sync'd
> >>> between a set of support technicians ?
> >>
> >> This is a REALLY bad idea procedurally to share a set of passwords
> >> between users if that is what you mean.
> >
> > I have 4 people responsible for after hours support on a growing number
> > of client systems. Could you please post your suggestions as to how they
> > all should gain privs on those servers? I have my own ideas, but rather
> > then taint your answer, I would like to get a fresh perspective.
> >
> > Thanks,
> >
> > Ron



More information about the TriLUG mailing list