From: Rob Andrews To: Alex Holst Date: Thu, 28 Mar 2002 12:36:35 -0600 Subject: Re: sudo.. a better way maybe? Message-ID: <20020328123635.A69105@switchblade.cyberpunkz.org> User-Agent: Mutt/1.2.5.1i Organization: Cyberpunk Alliance [-- PGP output follows (current time: Thu Mar 28 23:35:56 2002) --] gpg: Signature made Thu Mar 28 18:36:34 2002 GMT using DSA key ID 82EA2495 gpg: requesting key 82EA2495 from wwwkeys.eu.pgp.net ... gpg: Interrupt caught ... exiting ^@[-- End of PGP output --] [-- The following data is signed --] .- - - - - - Alex Holst wrote (2002/03/27 at 11:13:35 PM) - - - - - - |> This sounds like a policy question. First, if you are running vulnerable |> or trojaned software, all bets are off anyway. Install a file integrity |> checker. Second, most users wouldn't need blanket sudo access. No its not a policy question. What part of my email lacked clairity? I'm fully well aware of problems as a result of vulnerable softwares on a system. So basically I don't need this talking down thing that you're doing here. I've worked for companies such as SGI/Cray, IBM, and several others where common sense is common practive. So the last thing I need here is someone attempting to tell me what I need to do on my systems when I've already taken preventive steps that exceed your narrow scheme of what security on a system is. In the first place only staff memebers have access to use sudo. duh. And as far as a file integrity checker, that was just pure logic to have that in place. The system that was compromised that caused the intrusion in the first place was a remote system that I was not in control of so I had no idea that there was even a problem with users logging in from there and having their passwords compromised by said remote system. |> Staff *might* need blanket sudo access. If you are so worried about |> compromised accounts, why are you using password-based authentication |> for logins and sudo access in the first place? Get a two factor |> authentication solution. You know, I asked for a solution or point me in the right direction. Not for advise that has nothing to do with what I was asking. I have other methods of authentication that I can use of course. This wasn't at all the question. I wanted a way to use sudo and incorperate into that solution a way to setup a secondary password file which we can use pam to do auth with instead of the old way of using sudo having the same passwords as the login. While sudo is a nice tool, its manner of doing what it does lacks any real logic. Why would you have a tool that gives a user the ability to maybe su to root without there being something more than the users own login password to get them there. No logic at all. There should have been a secondary password file idea written into sudo at the time it was wrote. plain and simple. The system does use ssh logins only. So plaintext passwords after the fact I am really not overly concerned with. It was being able to allow some of the not so technical users that do need higher level access to certain functions on the machine, a way to do so without having to be root, yet allowing the user to have a second password set via sudo so that higher level functions they would access could be protected by some small attempt on my part. Sorry but this reply just really annoyed me.. Note.. I haven't posted this reply to the list out of general respect for others that don't need to see me flaming people such as yourself who haven't a bloody clue as to how to answer a question without coming off as you know better than I. You don't or you'd have kept your mouth shut and said nothing at all. You not only didn't answer my question, but you managed to insure my general lack of respect for would be admins such as yourself that flood the market and prevent people such as myself from finding decent jobs where there is some level of respect for the work that I and others like me do. Begone with your ignorance.. | `- - - - - - - - - - - EOF - - - - - - - - - - - - - -- ::::::::::::=================--------------------- :|Robert Andrews :|Cyberpunk Alliance http://www.cyberpunkz.org :|Minneapolis, MN Email: rob@cyberpunkz.org Office: 763-535-6392 :::::::::::::::::::::::::::====================-------------------------