On Fri, 13 Mar 2009, Mark McCullough wrote: > [email protected] wrote: >> On Fri, 13 Mar 2009, Mark R. Lindsey wrote: > > [snip] > >>> It's interesting that driver's licenses have come up, because that's >>> an example of establishing "Common Knowledge". We have Common >>> Knowledge if you know you're supposed to disable ssh root logins, and >>> I know that too, and I know that you know, and you know that I know, >>> and I know you know I know, ad infinitum. [1, 2] >> >> except when it makes sense to have ssh root logins enabled (so that >> central management tools can do root privilage required functions on the >> box for example) > > It never make sense to enable direct login to the root account. Central > management tools need to be written with individual accountability in > mind, unlike a "parallel ssh" or "mrssh" type approach which is designed > to cloak the responsibility for the actions. > > Direct login to an interactive session for an account without individual > accountability has been a Bad Idea(tm) for many years now. > > I've had to explain this concept over and over where I work. Especially > for people in a trusted position (sysadmins, senior DBAs, etc.) > maintaining that individual audit trail of who did what is an essential > part to dealing with such "positions of special trust" as was referenced > earlier. Having this individual accountability trail enshrined into > policy is part of how my employer deals with these issues.
I don't see a huge difference between logging in to a UID 0 account named 'root' or a UID 0 account named 'management' (and not much more difference in logging in as UID 500 and then doing a su or sudo to UID 0) I would prefer to have neither one take place, but if it is mandated that tool X must be able to remotely access the box and do things that can only be done as UID 0 you have to either not use that tool or give it remote access to UID 0. David Lang _______________________________________________ Discuss mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
