mark.pitt at ch.ibm.com wrote:>
> ssh could give us:
>
> 1/ Centrally managed keys and access
> 2/ No more user accounts in wheel groups lying around various systems
> 3/ Standard tracking with logging to a server via syslogd.
> 4/ Passwords managed centrally via pass phrases instead of passwords on
> every machine.
>
> As far as not using root is concerned, all for it, but I am just trying to
> get some sort of control over root now. sudo etc requires a lot more
> engineering, and again has to be done on a per system basis.
Using per-admin accounts and su or sudo solves the problem in a generic
way, independent of how you manage accounts or how admins connect to your
servers (SSH, OpenSSH, Kerberized telnet, etc.). The audit trail from
this solution is arguably better as well (how much do you trust that the
public key comments you'd be logging are correct?). Sudo logs to syslog,
provides more granularity of control than either su or your solution, and
can have the sudoers file centrally managed and distributed just as easily
as ~root/.ssh/authorized_keys2.
--
Hello World. David Bronder - Systems Admin
Segmentation Fault ITS-SPA, Univ. of Iowa
Core dumped, disk trashed, quota filled, soda warm. david-bronder at uiowa.edu