From: Alex Holst To: Rob Andrews Date: Fri, 29 Mar 2002 04:05:56 +0000 Subject: Re: sudo.. a better way maybe? Message-ID: <20020329040556.GA89340@area51.dk> User-Agent: Mutt/1.3.28i Quoting Rob Andrews (rob@cyberpunkz.org): > .- - - - - - Alex Holst wrote (2002/03/27 at 11:13:35 PM) - - - - - - > |> This sounds like a policy question. First, if you are running vulnerable > |> or trojaned software, all bets are off anyway. Install a file integrity > |> checker. Second, most users wouldn't need blanket sudo access. > > No its not a policy question. What part of my email lacked clairity? Having read this clarification, all of it. Comments below. > I'm fully well aware of problems as a result of vulnerable softwares > on a system. So basically I don't need this talking down thing that > you're doing here. I've worked for companies such as SGI/Cray, IBM, > and several others where common sense is common practive. So the last > thing I need here is someone attempting to tell me what I need to do > on my systems when I've already taken preventive steps that exceed > your narrow scheme of what security on a system is. Oh, I get it. This is a pissing contest. I don't do those. You win. I have no idea why you brought up your previous employers. How are the names of your previous employers related to your ability to articulate your problems, or to your comprehension of security issues? Also, how is common sense related to policy *at all*? Policy steems from business risks, not common sense. Common sense is what makes your butch girlfriend put a condom over the strap-on dildo before she fucks you up the arse, as to not stain the dildo with your shit. I was not trying to hurt your feelings deliberately, but I do have a habit of my writing being short and to the point, and often people feel walked on. I can only offer that this was not intentional in my first letter. The tone of your response indicates to me that you prefer being the target of name calling and belittling, as _surely_ you would not do this to others if you didn't. > In the first place only staff memebers have access to use sudo. duh. And > as far as a file integrity checker, that was just pure logic to have that > in place. The system that was compromised that caused the intrusion in > the first place was a remote system that I was not in control of so I had > no idea that there was even a problem with users logging in from there > and having their passwords compromised by said remote system. This is precisely why I feel your question was one of policy. Your policy seems to stipulate that remote system access from uncontrolled systems is allowed. Both OpenSSH and sudo offer many methods of authentication, including ones that cannot be replayed. I certainly do not wish to dictate your policy of remote access as there are many aspect of your needs, including being bumfucked by your girlfriend, that I currently don't understand. I thought perhaps you would utilize one of the authentication forms which cannot be replayed, should the credentials be captured by an intruder on the remote system from which an authorised connection is made. > You know, I asked for a solution or point me in the right direction. Not > for advise that has nothing to do with what I was asking. I have other > methods of authentication that I can use of course. This wasn't at all > the question. I wanted a way to use sudo and incorperate into that solution > a way to setup a secondary password file which we can use pam to do auth > with instead of the old way of using sudo having the same passwords as > the login. While sudo is a nice tool, its manner of doing what it does > lacks any real logic. Why would you have a tool that gives a user the > ability to maybe su to root without there being something more than > the users own login password to get them there. No logic at all. There > should have been a secondary password file idea written into sudo at the > time it was wrote. plain and simple. I think you mean "at the time it was written". Grammar corrections aside, the secondary password file exists in the form of the multiple authentication methods within sudo. Last I looked, sudo supported Kerberos and RADIUS authentication. There's your second password right there. Feel free to read the sudo manual anytime this century. Having worked for companies such as SGI/Cray, IBM, and several others, I am sure you realise that this second password you so crave can be stolen by a malicious remote system like the initial logon password can. My advice to you is to disallow remote logins from untrusted systems or, that being impossible for various reasons, switch to stronger forms of authentication for login and sudo access. > Sorry but this reply just really annoyed me.. Note.. I haven't posted > this reply to the list out of general respect for others that don't need > to see me flaming people such as yourself who haven't a bloody clue as > to how to answer a question without coming off as you know better than I. > You don't or you'd have kept your mouth shut and said nothing at all. You could easily have left out one of "kept your moth shut" or "said nothing at all". I would have understood. > You not only didn't answer my question, but you managed to insure my > general lack of respect for would be admins such as yourself that flood > the market and prevent people such as myself from finding decent jobs where > there is some level of respect for the work that I and others like me do. I feel I must correct your thoughtless assumptions; first, I am not a would-be system administrator. One of my previous jobs included admin duties, but that is the extent of it. Second, I have it on good authority that there are no people like me in the world. Third, assuming the location in your .sig is correct, I am around 8000 miles from you. If I can keep you out of a decent system administrator job by 1) not being one, 2) no others like me chasing the same jobs you are, and 3) being nowhere *near* your physical location, I can only conclude that these factors are not the real reasons you cannot get a job, and that your incompetence, horrible BO and your whiney voice when pressured are the real reasons. > Begone with your ignorance.. You are a tosser. Hope this helped! -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/