- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Authentication question from HP labs
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2004 09:33 PM
03-02-2004 09:33 PM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
The System Administrators in our environment are granted the root password. How ever due to security concerns we follow some of the points listed below
1. Telnets for root user is disabled
2. All System Administrators have to log on
as themselves and then do an 'su' to
root.
Yes, we do make use of utilities like sudo and super on a case by case basis to grant some one with elevated privileges.
regards
Mobeen
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2004 09:38 PM
03-02-2004 09:38 PM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
1) Yes
2) Yes in some circumstances and at the console
3) The people who have some privileges but do not belong to the sysadm team use restricted sam or sudo
4) Yes we use sudo and su2. Mostly for maintenance scripts given to operators or cron files (stop/start separate oracle instances, backup/restore utilies etc...)
All the best
Victor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2004 09:42 PM
03-02-2004 09:42 PM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
2) root is disabled. All administrators must log in using their own account first (eg. ops_xx), then su - rootxx. Each have their own rootxx logins with separate audit trails for each.
3) n/a
4) No, we dont use sudo or super or anything similar. Weve found the above procedure in 2) above to be very effective. Non administrators should never need, or would be given, root password or access to any root priveleged commands via sudo.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2004 09:51 PM
03-02-2004 09:51 PM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
No we do not use the root password.
We have access to the root password through permission of our manager. But just in case of urgent needs !
We use sudo to perform the sys admin tasks.
Kind regards,
Clemens
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2004 10:35 PM
03-02-2004 10:35 PM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
On some systems we do have the password. Others require sign out by higher management and justification. It is changed when we are done.
2) If yes, do system administrators typically authenticate (login) to the system as root?
Only allowed on the console. Always su for auditing.
3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?
4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.
Not allowed.
Regards,
Dave.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2004 01:19 AM
03-03-2004 01:19 AM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
Yes.
2) If yes, do system administrators typically authenticate (login) to the system as root?
No.
3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?
We all have individual ID's, then switch to root
4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.
We have "super" installed on most systems, allowing our support staff to carry out basic functions (password resets, ID purges etc). Some of these functions are also scripted to prevent them from affecting restricted accounts (including our ID's, root, and the DBA master ID).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2004 01:39 AM
03-03-2004 01:39 AM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
1) Yes, we all have the root password(s).
2) No - login as root not possible - unless on console.
3) N/A
4) For Operators, we use Restricted SAM as well as utility suexec for some tasks.
We also maintain a separate .sh_history for each admin (from root's .profile):
# Set up logging
HISTFILE=${HOME}/.sh_history_`who am i|awk '{ print $1}'`
date >>$HISTFILE
export HISTFILE
HISTSIZE=500
export HISTSIZE
Rgds...Geoff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2004 01:44 AM
03-03-2004 01:44 AM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
All sysadmins and our lead DBA have root pword.
admins almost always use root,
4) we don't use sudo or super for anything.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2004 01:59 AM
03-03-2004 01:59 AM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
Yes.
2) If yes, do system administrators typically authenticate (login) to the system as root?
Root access to the console is allowed only.
3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?
#su -
4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.
No
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2004 03:31 AM
03-03-2004 03:31 AM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
2. Mostly yes
3. Use 'su -'
4. sudo is used, but not for admins!
JP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2004 03:37 AM
03-03-2004 03:37 AM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
2) No, it is not allowed
3 & 4) In separate and isolated environments su, sudo and super are all used
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2004 03:39 AM
03-03-2004 03:39 AM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
2) Must use su
4) We grant su to some user for managing their process which require root privillage.
Thanks,
Simon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2004 03:55 AM
03-03-2004 03:55 AM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
2)YES (Though people are discouraged to login as root to perform non-administrative tasks, it has become a habit for us to type root whenever we see a login prompt :-))
3) -
4) I have used sudo to delicate certain permissions to other users.
-Karthik S S
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2004 04:20 AM
03-03-2004 04:20 AM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
2) NA
3) We get root-equivilent rights (like sudo and su) to do stuff
4) We use CA's eTrust Access Control, which contains a sudo and and 'protected' su. (sesudo and sesu)
Hope it helps
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2004 04:43 AM
03-03-2004 04:43 AM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
1) Are system administrators in your environment given the root password?
YES
2) If yes, do system administrators typically authenticate (login) to the system as root?
NO
3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?
SU TO ROOT, SUDO OR RESTRICTED SAM.
4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.
WE USE SUDO AND RESTRICTED SAM
Paula
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2004 05:13 AM
03-03-2004 05:13 AM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
2) No root login (using telnet for example). We login as root when using the GPS/console.
3) We login as a "typical" user and su to root.
4) We do not use "sudo" or other software to perform root functions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2004 05:18 AM
03-03-2004 05:18 AM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
Yes
2) If yes, do system administrators typically authenticate (login) to the system as root?
No, except on non-production machines
3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?
sudo
4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.
sudo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2004 05:28 AM
03-03-2004 05:28 AM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
1) we are three admins here and we all have the root password.
2) I prefer to work as root and usually login in as such and su to other users.
We do not use sudo or equivalent means.
greetings,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2004 05:35 AM
03-03-2004 05:35 AM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
I think HP should change this (both for vPars and nPars). I suggest an Partition Amdinistration suite that probably be "assigned" to one nPar or host so each nPar/vPar root account cannot change configuration -- similar to what they have on Sun partitionalble servers.
1) Are system administrators in your environment given the root password?
Yes.
2) If yes, do system administrators typically authenticate (login) to the system as root?
No. Only Console Root Access. All else use SU.
3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?
SUDO
4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.
SUDO.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2004 07:37 AM
03-03-2004 07:37 AM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
2) no
3) login as self then su to root
4) no other utils used. evaluating sudo for this purpose.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2004 08:27 AM
03-03-2004 08:27 AM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
2) Yes.
We do also have a tool called Power Broker. We have not yet fully utilized it's capabilities, but we plan on doing that to allow the operators access to certain areas and functionalities of the system.
-Hazem
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2004 10:32 AM
03-03-2004 10:32 AM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
2) Usually log into own account then su or use sudo. We have secure tty defined so it is not possible to log in directly as root. Logging in is either through telnet or SSH (SSH preferred, but sometimes this doesn't work so we resort to telnet - have to use this to access GSPs anyway).
GSPs all connected to network and password protected.
Access to different networks controlled by SecureID, so authentication is required before a connection can be made. This sometimes screws up SSH, because you are not presented with a chance to authenticate (Radius servers don't support SSH protocol).
3) - N/A
4) We use sudo, though we are not entirely happy with it. There are several huge security holes that can be exploited if you are not really careful. We are wary of using other tools to control passwords where there is a risk that access to a system could be lost if the tool used stops working. We do not have physical access to the machines.
Access to systems overall is controlled by LDAP (we have profiles which allow users to access certain systems only).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2004 03:38 PM
03-03-2004 03:38 PM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
Below my replies:
1) Are system administrators in your environment given the root password?
NO. Known only to HP-UX server administrator and of course the IT Business Unit Leader.
2) If yes, do system administrators typically authenticate (login) to the system as root?
The administrator in charge uses it mostly. Avoids the pain of remembering the passwords for all the accounts used for the different installations.
3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?
su - root.
4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.
NO. considering it for the future.
regards
Yogeeraj
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-04-2004 02:40 AM
03-04-2004 02:40 AM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
2) No.
3) We force logon as a user then they su to root.
4) Yes, for secondary admins, DBA's, etc... we use SUDO to grant certain commands.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-04-2004 02:49 AM
03-04-2004 02:49 AM
			
				
					
						
							Re: Authentication question from HP labs
						
					
					
				
			
		
	
			
	
	
	
	
	
2) No
3) They typically log on as themselves then su, or use set-UID scripts or programs
4) We don't use either of these utilities, but we do make extensive use of set-UID scripts, and also use a bespoke program which acts as a wrapper for the setresuid system call (checks the script name parameter for matching validation rules, then calls setresuid to set all 3 ID values to zero, then runs the script, needed for some utilities which try to be clever and look at the real user ID rather than the effective user ID).
