At 994738826s since epoch (07/10/01 02:20:26 -0400 UTC), Micah Anderson wrote: > These both seem like excellent practices, for the clueless in all of us - > can someone describe how this is done for sudo? How do you configure PAM to > require alternative passwords, which expire and age, and are decent > passwords? And how does one reliably log sudo logs offsite?
Please take a large grain of salt before reading, I haven't done this stuff in a while so I'm rusty on it. I've included references to where I've gotten the info so you can read more about it yourself. One can log to a different host by putting @hostname in your syslog.conf file. I believe it looks like this: (`man syslog.conf`) auth,authpriv.* @log.myotherhost.com (assuming you have sudo logging at level auth) I know this may seem obvious, but make sure that this machine does not share admin accounts with the machine you're logging from, or the hacker will just break in and change the logs! As for PAM fun, try the following: apt-get install libpam-doc libpam-opie libpam-pwdfile The first is docs, the second is OTP (one time passwords), and the third is to authenticate against "passwd-like" files. The idea with the third is that you make another passwd file (/etc/sudo.passwd), put all your sudoers in it. Then, change /etc/pam.d/sudo to say: auth required /lib/security/pam_pwdfile.so pwdfile /etc/sudo.passwd (`less /usr/doc/libpam-pwdfile/README`) Also, from that README: == The ASCII password file is simply a list of lines, each looking like this: username:crypted_passwd[13] in the case of vanilla crypted passwords, username:crypted_passwd[34] in the case of MD5 crypted passwords. == To do OTP instead, read /usr/doc/libpam-opie/README.Debian. A full discussion of OTP and how to set it up and use it is beyond the scope of this thread. Perhaps another thread would be good for that if people are interested. There are merits to be debated, and a whole other flamewar awaits that topic... =) Anyway, that's my first stab at it; others, please comment! I'm not sure if this is the best/right way to do it but I hope this gets things going. Jason -- Jason Healy | [EMAIL PROTECTED] LogN Systems | http://www.logn.net/