[TriLUG] Shared user account best practices

Warren Myers volcimaster at gmail.com
Thu Jul 10 12:48:44 EDT 2008 

Depending on the total number of servers you have to worry about, it may be
worth looking at some of the server management tools out there. (Disclaimer,
I work for a company that does exactly that - on a scale writ large.)

A thought could be to wrap the allowed utility calls in a shell script (rx
perms only) that snags off the output of the commands into syslog or
similar?

For accountability, eventually you're going to have to trust the folks
running scripts / doing jobs to be NOT assholes.

WMM

On Thu, Jul 10, 2008 at 12:43 PM, Shawn Hood <shawnlhood at gmail.com> wrote:

> Doh!  Yes, I failed to mention that we will be using pre-shared keys.
> I guess I should be more clear:  Are there other practices that are
> preferred for such tasks?  Should I be approaching this problem from
> another angle that will improve security and accountability?
>
> Shawn
>
> On Thu, Jul 10, 2008 at 12:31 PM, Warren Myers <volcimaster at gmail.com>
> wrote:
> > Can you use a pre-shared ssh key, and lock down the user on the remote
> box
> > (either directly, or using ldap/nis/whatever) so it can only do the tasks
> > you allow?
> >
> > WMM
> >
> > On Thu, Jul 10, 2008 at 12:22 PM, Shawn Hood <shawnlhood at gmail.com>
> wrote:
> >
> >> All,
> >>
> >> Shared user account best practices?  Seemingly a misnomer.  :)
> >>
> >> At any rate, I was hoping to get some guidance on the following issue.
> >>  My organization needs user accounts to be used by scripts for
> >> automated tasks (e.g. deploying an application build to a server,
> >> logging into to check certain aspects of a system).  I've seen
> >> configurations where certain users are only allowed to execute a
> >> certain set of commands via SSH instead of actually getting a shell.
> >> This seems like a step in the right direction.  Any other ideas?
> >>
> >>
> >> --
> >> Shawn Hood
> >> 910.670.1819 m
> >> --
> >> TriLUG mailing list        :
> http://www.trilug.org/mailman/listinfo/trilug
> >> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
> >>
> >
> >
> >
> > --
> >
> > Warren Myers
> > http://warrenmyers.com
> > --
> > TriLUG mailing list        :
> http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
> >
>
>
>
> --
> --
> Shawn Hood
> 910.670.1819 m
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
>



-- 

Warren Myers
http://warrenmyers.com

More information about the TriLUG mailing list