[TriLUG] Shared user account best practices
Warren Myers
volcimaster at gmail.com
Thu Jul 10 13:21:43 EDT 2008
syslog can be setup to track login times
if you correlate the time a user logs-in to the ip address originating the
session, you can look at that box to see who's logged-in and initiated the
session
WMM
On Thu, Jul 10, 2008 at 1:15 PM, Paul G. Szabady <paul at thyservice.com>
wrote:
> Generally speaking, it's not a trust issue. More times than not, it's
> an accountability issue. In other words, how easy can you track down
> the person that performed a specific task when multiple people have
> access to the un/pw.
>
> Warren Myers wrote:
> > Depending on the total number of servers you have to worry about, it may
> be
> > worth looking at some of the server management tools out there.
> (Disclaimer,
> > I work for a company that does exactly that - on a scale writ large.)
> >
> > A thought could be to wrap the allowed utility calls in a shell script
> (rx
> > perms only) that snags off the output of the commands into syslog or
> > similar?
> >
> > For accountability, eventually you're going to have to trust the folks
> > running scripts / doing jobs to be NOT assholes.
> >
> > WMM
> >
> > On Thu, Jul 10, 2008 at 12:43 PM, Shawn Hood <shawnlhood at gmail.com>
> wrote:
> >
> >
> >> Doh! Yes, I failed to mention that we will be using pre-shared keys.
> >> I guess I should be more clear: Are there other practices that are
> >> preferred for such tasks? Should I be approaching this problem from
> >> another angle that will improve security and accountability?
> >>
> >> Shawn
> >>
> >> On Thu, Jul 10, 2008 at 12:31 PM, Warren Myers <volcimaster at gmail.com>
> >> wrote:
> >>
> >>> Can you use a pre-shared ssh key, and lock down the user on the remote
> >>>
> >> box
> >>
> >>> (either directly, or using ldap/nis/whatever) so it can only do the
> tasks
> >>> you allow?
> >>>
> >>> WMM
> >>>
> >>> On Thu, Jul 10, 2008 at 12:22 PM, Shawn Hood <shawnlhood at gmail.com>
> >>>
> >> wrote:
> >>
> >>>> All,
> >>>>
> >>>> Shared user account best practices? Seemingly a misnomer. :)
> >>>>
> >>>> At any rate, I was hoping to get some guidance on the following issue.
> >>>> My organization needs user accounts to be used by scripts for
> >>>> automated tasks (e.g. deploying an application build to a server,
> >>>> logging into to check certain aspects of a system). I've seen
> >>>> configurations where certain users are only allowed to execute a
> >>>> certain set of commands via SSH instead of actually getting a shell.
> >>>> This seems like a step in the right direction. Any other ideas?
> >>>>
> >>>>
> >>>> --
> >>>> Shawn Hood
> >>>> 910.670.1819 m
> >>>> --
> >>>> TriLUG mailing list :
> >>>>
> >> http://www.trilug.org/mailman/listinfo/trilug
> >>
> >>>> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
> >>>>
> >>>>
> >>>
> >>> --
> >>>
> >>> Warren Myers
> >>> http://warrenmyers.com
> >>> --
> >>> TriLUG mailing list :
> >>>
> >> http://www.trilug.org/mailman/listinfo/trilug
> >>
> >>> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
> >>>
> >>>
> >>
> >> --
> >> --
> >> Shawn Hood
> >> 910.670.1819 m
> >> --
> >> TriLUG mailing list :
> http://www.trilug.org/mailman/listinfo/trilug
> >> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
> >>
> >>
> >
> >
> >
> >
>
> --
> --
> Paul
> @ Thy Service
>
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
>
--
Warren Myers
http://warrenmyers.com
More information about the TriLUG
mailing list