topic Re: Authentication question from HP labs in Operating System - HP-UX

Authentication question from HP labs

Brad Klein — Tue, 02 Mar 2004 14:21:00 GMT

The HP Partition Management group would like to understand how system administrators are authenticated and authorized to perform system administrations tasks in your environment.

1) Are system administrators in your environment given the root password?

2) If yes, do system administrators typically authenticate (login) to the system as root?

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

Thanks in advance for your valuable responses,

HP Partition Management group.

Re: Authentication question from HP labs

Pete Randall — Tue, 02 Mar 2004 14:24:25 GMT

Brad,

In my environment, I'm the only SysAdmin (though my DBA has some limited expertise). We log in as ourselves and use su to gain root privileges. With only the two of us, auditing and restricting privileges and the like have never been an issue, so we do not use sudo or anything.

Pete

Re: Authentication question from HP labs

Steven E. Protter — Tue, 02 Mar 2004 14:25:38 GMT

Answers:

1) Are system administrators in your environment given the root password?

Yes, we have only one full time and one backup.

2) If yes, do system administrators typically authenticate (login) to the system as root?

Currently we allow root login. We are considering requiring su - from a normal user id.

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

su - root

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

Currently testing sudo, not decided on how to proceed.

SEP

Re: Authentication question from HP labs

Patrick Wallek — Tue, 02 Mar 2004 14:27:39 GMT

1) Yes! (I'm not sure I'd work somewhere the SA's didn't have the root password)

2) Depends. I usually log on to the system with a generic id and then 'su -' as necessary.

3) N/A

4) Yes we use sudo as well for some things.

Re: Authentication question from HP labs

Dave La Mar — Tue, 02 Mar 2004 14:32:42 GMT

#1) Yes

#2) Yes

#3-4) su is also used.

Small shop, 1 full time HP SA, and one manager as SA for all platforms.

Regards,

dl

Re: Authentication question from HP labs

Dave Hutton — Tue, 02 Mar 2004 15:26:27 GMT

1) Are system administrators in your environment given the root password?

Yes and actually our DBA's have it too. They are only "supposed" to use it for installing oracle. But we've caught them doing other things.

2) If yes, do system administrators typically authenticate (login) to the system as root?

This place any generic accounts people log in directly (oracle, root, application related, ...)

A prior company I worked at you couldn't log as root or oracle directly. You had to su from your user up to it.

3) Even though I answered yes to both 1&2 there have been causes where we tried using sudo.

4) Yes, mostly it was brought in for applications that shouldn't of been installed as root, to allow the application people start and stop it.

Re: Authentication question from HP labs

Paul Cross_1 — Tue, 02 Mar 2004 15:32:49 GMT

1) Are system administrators in your environment given the root password?

Yes.

2) If yes, do system administrators typically authenticate (login) to the system as root?

no, we login as ourselves, and su - root.

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

su - root.

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

Yes. some application administration done by other groups require elevated privileges, for this we use sudo, never "sudo su, sudo vi, etc." however.

Re: Authentication question from HP labs

Michael Tully — Tue, 02 Mar 2004 16:27:42 GMT

1) Yes. I did work at a place once, where we did not have root passwords at all, but had to use a tool called 'qsu'

2) We use 'sudo' on most systems and only use the root password from a secret cheat sheet only when absolutely necessary. No system is allowed direct root access other than from the console.

3) sudo

4) No - If root access is required, then any scripts etc that must be run are done by the SA.

Re: Authentication question from HP labs

Robert-Jan Goossens — Tue, 02 Mar 2004 16:54:04 GMT

-1- Yes

-2- No,generic account + sudo

-3- su - + sudo

-4- sudo

Re: Authentication question from HP labs

G. Vrijhoeven — Tue, 02 Mar 2004 17:06:05 GMT

Hi,

1) No but an envelope containing the root passwd in case of an emergency (console login)

2) No, they log in as users. The admins can become root providing theire own passwd.

3) (GSP web)Console login. if server crashes, and a tool called be root is provided for elevated privileges

4) be root is a simular tool. I used to work with sudo.

Regards,

Gideon

4)

Re: Authentication question from HP labs

Denver Osborn — Tue, 02 Mar 2004 17:14:49 GMT

1) yes

2) no (try to use only as last resort)

3) login as self then su to root

4) no other utils used.

we try to avoid any direct root logins, and each admin who su's to root has their own shell history (.sh_username)

hope this helps,
-denver

Re: Authentication question from HP labs

A. Clay Stephenson — Tue, 02 Mar 2004 17:25:25 GMT

1) Yes
2) Only if they don't mind being adjusted with a baseball bat. There's nothing like being your own worst enemy.
3) su - root
4) Yes, sudo or custom setuid C programs

Re: Authentication question from HP labs

H.Merijn Brand (procura — Tue, 02 Mar 2004 18:24:20 GMT

1) Worse: all the users know the root passwords, but then again, we have only 8 users, and all of them have to perform administration once in a while
2) Yes. Worst think someone can do is stayed login as root. Do your thing and logout is the rule we use. Noone `works' as root: stronly forbidden.
3) su root
4) yes, sudo slightly patched - and I will not elaborate on how and why for obvious security reasons

Enjoy, Have FUN! H.Merijn

Re: Authentication question from HP labs

Rodney Hills — Tue, 02 Mar 2004 18:28:06 GMT

1) SA does have the root password (only me)
2) I login as myself, then do a "su" for root access
3/4) Everyone else goes through "sudo".

-- Rod Hills

Re: Authentication question from HP labs

James A. Donovan — Tue, 02 Mar 2004 18:37:44 GMT

1) Yes they are.
2) No. They login under their individual accounts
3) We use sudo for most commands that require root privileges, otherwise we login on the console.
4) Sudo

Re: Authentication question from HP labs

Seth Parker — Wed, 03 Mar 2004 00:31:56 GMT

1. Yes
2. No, except from console for reboots, etc.
3. Login as self then su -
4. Nothing at the moment

It's always nice to be able to provide input!

Regards,
Seth

Re: Authentication question from HP labs

Ravi_8 — Wed, 03 Mar 2004 01:46:24 GMT

Hi

1. Yes, sys admin will be having root passwd
2. No.
3.sys admin login using his id and then su to be root
4.we use sudo to give access to users to perform only swinstall/swremove

Re: Authentication question from HP labs

Rainer von Bongartz — Wed, 03 Mar 2004 01:52:18 GMT

1) NO, the root password is split between two people and both parts are stored in a safe for emergency needs .

2) n.a.

3) one person can use "sudo su -" to gain root priviliges, the other must use "sudo "

4) sudo

Re: Authentication question from HP labs

Robert Binkhorst — Wed, 03 Mar 2004 02:09:21 GMT

Hi Brad,

1) Are system administrators in your environment given the root password?

Yes. All SA's know the root password. It is changed every month though.

2) If yes, do system administrators typically authenticate (login) to the system as root?

We do at the moment. We're implementing LDAP and will force everyone to login as themselves and su or sudo. Then, only root access to the console will be allowed. Consoles can only be reached through a separate network.

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

We're moving to sudo for specific application and monitoring tasks.

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

We're using a sudo version from the HP porting archive, I would like to see a HP supplied one come out though.

Re: Authentication question from HP labs

Vijaya Kumar_3 — Wed, 03 Mar 2004 02:17:04 GMT

1) Are system administrators in your environment given the root password?

YES, We change this every month.

2) If yes, do system administrators typically authenticate (login) to the system as root?

No, every admin in our environment is having their own user accounts. We login to unix oxes using SSH with this account. We use su to change to root. NO Direct root logins are allowed.

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

We su to root. In trusted systems we have sudo installed. We use sudo to do admini tasks.

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

We use only sudo as of now.