Re: Authentication question from HP labs

Brad Klein · ‎03-02-2004

The HP Partition Management group would like to understand how system administrators are authenticated and authorized to perform system administrations tasks in your environment.

1) Are system administrators in your environment given the root password?

2) If yes, do system administrators typically authenticate (login) to the system as root?

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

Thanks in advance for your valuable responses,

HP Partition Management group.

Pete Randall · ‎03-02-2004

Brad,

In my environment, I'm the only SysAdmin (though my DBA has some limited expertise). We log in as ourselves and use su to gain root privileges. With only the two of us, auditing and restricting privileges and the like have never been an issue, so we do not use sudo or anything.

Pete

Pete

Steven E. Protter · ‎03-02-2004

Answers:

1) Are system administrators in your environment given the root password?

Yes, we have only one full time and one backup.

2) If yes, do system administrators typically authenticate (login) to the system as root?

Currently we allow root login. We are considering requiring su - from a normal user id.

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

su - root

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

Currently testing sudo, not decided on how to proceed.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Patrick Wallek · ‎03-02-2004

1) Yes! (I'm not sure I'd work somewhere the SA's didn't have the root password)

2) Depends. I usually log on to the system with a generic id and then 'su -' as necessary.

3) N/A

4) Yes we use sudo as well for some things.

Dave La Mar · ‎03-02-2004

#1) Yes

#2) Yes

#3-4) su is also used.

Small shop, 1 full time HP SA, and one manager as SA for all platforms.

Regards,

dl

"I'm not dumb. I just have a command of thoroughly useless information."

Dave Hutton · ‎03-02-2004

1) Are system administrators in your environment given the root password?

Yes and actually our DBA's have it too. They are only "supposed" to use it for installing oracle. But we've caught them doing other things.

2) If yes, do system administrators typically authenticate (login) to the system as root?

This place any generic accounts people log in directly (oracle, root, application related, ...)

A prior company I worked at you couldn't log as root or oracle directly. You had to su from your user up to it.

3) Even though I answered yes to both 1&2 there have been causes where we tried using sudo.

4) Yes, mostly it was brought in for applications that shouldn't of been installed as root, to allow the application people start and stop it.

Paul Cross_1 · ‎03-02-2004

1) Are system administrators in your environment given the root password?

Yes.

2) If yes, do system administrators typically authenticate (login) to the system as root?

no, we login as ourselves, and su - root.

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

su - root.

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

Yes. some application administration done by other groups require elevated privileges, for this we use sudo, never "sudo su, sudo vi, etc." however.

Michael Tully · ‎03-02-2004

1) Yes. I did work at a place once, where we did not have root passwords at all, but had to use a tool called 'qsu'

2) We use 'sudo' on most systems and only use the root password from a secret cheat sheet only when absolutely necessary. No system is allowed direct root access other than from the console.

3) sudo

4) No - If root access is required, then any scripts etc that must be run are done by the SA.

Anyone for a Mutiny ?

Robert-Jan Goossens · ‎03-02-2004

-1- Yes

-2- No,generic account + sudo

-3- su - + sudo

-4- sudo

G. Vrijhoeven · ‎03-02-2004

Hi,

1) No but an envelope containing the root passwd in case of an emergency (console login)

2) No, they log in as users. The admins can become root providing theire own passwd.

3) (GSP web)Console login. if server crashes, and a tool called be root is provided for elevated privileges

4) be root is a simular tool. I used to work with sudo.

Regards,

Gideon

4)

Denver Osborn · ‎03-02-2004

1) yes

2) no (try to use only as last resort)

3) login as self then su to root

4) no other utils used.

we try to avoid any direct root logins, and each admin who su's to root has their own shell history (.sh_username)

hope this helps,
-denver

A. Clay Stephenson · ‎03-02-2004

1) Yes
2) Only if they don't mind being adjusted with a baseball bat. There's nothing like being your own worst enemy.
3) su - root
4) Yes, sudo or custom setuid C programs

If it ain't broke, I can fix that.

H.Merijn Brand (procura · ‎03-02-2004

1) Worse: all the users know the root passwords, but then again, we have only 8 users, and all of them have to perform administration once in a while
2) Yes. Worst think someone can do is stayed login as root. Do your thing and logout is the rule we use. Noone `works' as root: stronly forbidden.
3) su root
4) yes, sudo slightly patched - and I will not elaborate on how and why for obvious security reasons

Enjoy, Have FUN! H.Merijn

Enjoy, Have FUN! H.Merijn

Rodney Hills · ‎03-02-2004

1) SA does have the root password (only me)
2) I login as myself, then do a "su" for root access
3/4) Everyone else goes through "sudo".

-- Rod Hills

There be dragons...

James A. Donovan · ‎03-02-2004

1) Yes they are.
2) No. They login under their individual accounts
3) We use sudo for most commands that require root privileges, otherwise we login on the console.
4) Sudo

Remember, wherever you go, there you are...

Seth Parker · ‎03-02-2004

1. Yes
2. No, except from console for reboots, etc.
3. Login as self then su -
4. Nothing at the moment

It's always nice to be able to provide input!

Regards,
Seth

Ravi_8 · ‎03-02-2004

Hi

1. Yes, sys admin will be having root passwd
2. No.
3.sys admin login using his id and then su to be root
4.we use sudo to give access to users to perform only swinstall/swremove

never give up

Rainer von Bongartz · ‎03-02-2004

1) NO, the root password is split between two people and both parts are stored in a safe for emergency needs .

2) n.a.

3) one person can use "sudo su -" to gain root priviliges, the other must use "sudo "

4) sudo

He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...

Robert Binkhorst · ‎03-02-2004

Hi Brad,

1) Are system administrators in your environment given the root password?

Yes. All SA's know the root password. It is changed every month though.

2) If yes, do system administrators typically authenticate (login) to the system as root?

We do at the moment. We're implementing LDAP and will force everyone to login as themselves and su or sudo. Then, only root access to the console will be allowed. Consoles can only be reached through a separate network.

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

We're moving to sudo for specific application and monitoring tasks.

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

We're using a sudo version from the HP porting archive, I would like to see a HP supplied one come out though.

linux: the choice of a GNU generation

Vijaya Kumar_3 · ‎03-02-2004

1) Are system administrators in your environment given the root password?

YES, We change this every month.

2) If yes, do system administrators typically authenticate (login) to the system as root?

No, every admin in our environment is having their own user accounts. We login to unix oxes using SSH with this account. We use su to change to root. NO Direct root logins are allowed.

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

We su to root. In trusted systems we have sudo installed. We use sudo to do admini tasks.

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

We use only sudo as of now.

Known is a drop, unknown is ocean - visit me at http://vijay.theunixplace.com

Jakes Louw · ‎03-02-2004

1) Are system administrators in your environment given the root password?

No

2) If yes, do system administrators typically authenticate (login) to the system as root?

N/A

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

We use a product called Omniguard that sets up profiles and does keystroke logging. SAs log in using their private accounts, then perform "/usr/local/bin/pmrun su -", after which the SA is prompted to supply a profile password. After that, all access is equivalent to full root access.

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names

I understand that Omniguard is based on SUDO with an extensive shell around it.

Trying is the first step to failure - Homer Simpson

MarkSyder · ‎03-02-2004

Yes to questions 1 and 2.

I give limited super user priviledges to other users via sudo.

Mark Syder (like the drink but spelt different)

The triumph of evil requires only that good men do nothing

Kurt Beyers. · ‎03-02-2004

1. Yes

2. logon with their own user and su - then

3. /

4. sudo or super is not being used for the moment.

best regards,
Kurt

Mark Grant · ‎03-02-2004

All system administrators are not only given but also admin the root passwords.

Typically we log in as a normal user and su - . One exception to this is when doing work at the system console.

We do not use "sudo" but do occasionally use SETUID binaries.

Never preceed any demonstration with anything more predictive than "watch this"

Tomek Gryszkiewicz · ‎03-02-2004

1. Yes
2. usually yes, but not all
3. su
4. For some users we are using sudo with the privilage for use one command only.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Authentication question from HP labs

Authentication question from HP labs