experiences with openssh automation
Robert Brockway
rbrockway-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org
Wed Aug 10 06:54:49 UTC 2005
On Tue, 9 Aug 2005, Mike Kallies wrote:
[Refering to alternatives to using ssh to get access to /etc/shadow]
> I've heard this argument many times, but I've never heard of any
> alternatives.
LDAPS, NIS+ (the latter is hard to set up).
NIS is easy to setup but not secure.
> Remote root access from ssh is risky somehow because the root account is
> common. (IMHO it's not such a big deal because you can force key-only
> authentication for root and spare everyone a lot of trouble... )
I prefer to encourage the use of ssh through a user a/c and additional
authentication to get root. IMHO it should be a bit annoying to get root.
It's easy for an admin to get lazy and do stuff as root that could be done
through an unprivileged account.
> Remote access with a non-root account which has root-like priviliges
> through sudo is supposedly less risky because no password authentication
> is possible, making brute force password attacks on the account
Directly over ssh - yes. Brute force attacks on ssh are very common
today as many of us know.
> impossible. The private key would have to be guessed for brute force to
> work.
And the passphrase if there is one. With a strong passphrase in place
this is considered an intractible problem with 1024bit RSA keys today.
> The only real danger as I can tell is if your automation servers are
> compromised... but that's unavoidable. If you need to have central
> servers from which you can install updates or monitor systems, those same
> servers can be used to install trojans or steal data.
They sure can. I do patching manually everywhere. For one thing very few
vendors are doing security patching properly - where you can be sure the
box will just get the updates it needs. I've seen many a vendor break
functionality on supposedly safe security updates.
I rarely touch MS-Windows and I can understand MS-Windows admins needing
to patch large numbers of workstations. I strongly support the use of
thin clients in the unix environment, one of the reasons being the reduced
admin overhead (no patching of workstations :) There are other reasons
too. http://www.opentrend.net goes into this a bit but we plan to add
more information on thin clients.
In cases where the number of boxes is very large or where backend servers
are being built and rebuild (eg, for testing) I usually use something like
kickstart or jumpstart.
IMHO if the number of individual (unix) servers is so large that it is
infeasible for the admins to do manual security updates then they probably
need to expand the admin team since they are probably lacking the staff to
do proper administration as well.
Cheers,
Rob
--
Robert Brockway B.Sc. Phone: +1-416-669-3073
Senior Technical Consultant Email: support-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org
OpenTrend Solutions Ltd. Web: www.opentrend.net
We are open 24x7x365 for technical support. Call us in a crisis.
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list