SUMMARY: SSH & root logins

From: <Tony_Schloss_at_ao.uscourts.gov>
Date: Mon Mar 01 2004 - 13:01:14 EST
First, thanks to the multitude who replied to my little survey.  Among 
other things, I learned how to better construct a survey for a nice 
disparate mailing list <g>.

I had 22 folks from the list respond; since I've no idea how many are 
actually on the list, I can't say if that's a good return or not (anyone 
have a notion as to the number subscribed?).  The results below are in 
very round numbers:  the first number is the percentage of the whole (all 
22 respondents); the second numer is the percentage of those who 
explicitly addressed that point or area.  There weren't a lot of really 
big surprises -- turns out that as I came out from the window-less (and 
often joyless!) basement that is the intelligence world, it's not so 
different in the sunshine (though sadly enough, I wound up back in the 
basement again <sigh>). 

All that said, here are the numbers I came up with:

Deny direct root login in any form: 
        36% (88%)
Allow root login with authorized_keys:
        9% (55%, doesn't include those who use central login servers*)
Allow root login with password:
        14% (60%)
Allow user login with authorized_keys:
        41% (69%)
Allow user login with password:
        27% (75%)
Force both authorized_keys *and* password:
        4% (1 respondent; does allow root login)
Use sudo or equivalent:
        36%
Use su:
        18%
Use Kerberos:
        9%
Use centralized server(s) for root logins:
        14%

* the concept of the centralized server for root access is that one would 
ssh into this server as yourself, su to root (to create an audit trail and 
to re-authenticate at the root level), then have access to other servers, 
as root, using authorized_keys (this box would presumably be locked down 
considerably more heavily than others).

Noteworthy Notes, noteably well-worthy of noting:
- 1 respondent allows user-level authorized_keys login only, across the 
board -- no direct root login ever, no passwords ever
- 1 respondent was just the opposite -- user-level passwords only, no 
authorized_keys anywhere, ever, and no direct root login, ever.
- 1 respondent brought up the aspect of laptops that wind up missing -- 
laptops that have users' private keys on them; this respondent uses 
(short-duration) passwords only across the board.  Good point -- I hadn't 
thought of laptops (they aren't too prevalent in the dark underworld), and 
now I'm even more paranoid <g>.
- 1 respondent explicitly mantioned the further lack of safety factor 
involved in having private keys stored on an NFS-shared home directory 
structure.  A very good point -- hadn't thought of this, since we don't 
use NFS on our boxes, but one of the folks who's at the root of the whole 
issue (no pun intended) relies on it heavily.

General Thoughts:
- one size doesn't fit all (and often, mileages *do* vary <g>); you do 
what you need to do, depending on agency or company policy, your 
comfortable level, and user comfort level (generally in that order)
- sudo was obviously popular -- most who responded that they use it, force 
its use for administrative tasks.  One respondent uses sudo exclusively 
for any kind of root access requirement (except single-user mode, the only 
place where a root-level logon is allowed or a password is used).  Some 
use of sudo was heavy, some was not.
- environment and legacy/history obviously dictates a lot of what we're 
allowed to get away with, or not, in the security area; a small number of 
respondents were stuck in an environment where they still had to allow 
telnet with passwords running around naked all over the wire (they were 
quite chagrined at this, however), and a couple were in the process of 
disallowing this sort of practice (getting rid of telnet, ftp, etc.).  But 
we're stuck in the environment in which we're stuck, often.
- most were ambivalent towards ssh-agent, if addressed at all.

Hope this info is able to help someone else, as well; as for me, it 
verified that I'm not insane (there's always question on that issue, is 
there not?? <g>), it gave me a couple of options that I hadn't thought 
about before, and it strengthened a couple of arguments that I already 
had.

Again, my thanks for your time.  Have a wonderful March!
Tony
~~~~~~~~~
Tony Schloss
(statements & opinions here are solely my own; they offer no reflection of 
my employer, and all that jazz)
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Mon Mar 1 13:01:05 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:30 EST