Re: Authentication question from HP labs

George_Dodds · ‎03-04-2004

Here there is just me and a dba, we log on with our own userid's and su when needed.

We've never needed to use elevatated priveliges apart from letting 2 users have system backup rights using a restricted SAM shell.

Cheers

George

Todd McDaniel_1 · ‎03-04-2004

Brad,

In my group, me and my backup as well as our "Platform specialists" all have root on my boxes.

1) all the above folks have root access... we use the scfmgr Sysguard tool to manage security of root access.

2) NO, me and the other SA's dont login directly as root for non-console access, login first as user then su - to root.

3) In order to access root, we utilize scfmgr for security and we authenticate users first with SecurID technology from ACE(tm). then users su - to root from their userID. When logged in as root, I have created seperate .sh_username history files to divide everyone's commands so they can keep their own history.

4) For NON-SA users, I grant sudo access for root required commands such as managing my EMC frames with Symm commands. And for mount/umount/vgchange/fsck/etc for BCV management... For SA's who have root access, they use su...

Unix, the other white meat.

John Poff · ‎03-04-2004

Hi,

1. Yes.

2. We normally login under our personal accounts and then su - to root.

3. n/a

4. We have tried using sudo before for an application which needed root access for some utility functions. The user tried it out but claimed that it didn't work properly for them. For our daily sysadmin work we just use root as needed.

JP

Bill Hassell · ‎03-04-2004

1. No! The root password is written on a card and put in the company safe with the words: "open only if the Director of IT got hit by a beer truck"

2. No! securetty prevents this from any port except the real console.

3. sudo.

4. sudo. In order to avoid issues, I never give a user all privileges. Instead, I enumerate the program and sometimes the parameters to prevent misteaks (misstakes?). And sudo logs both successes and failures.

Like lsof, sudo should be added to software.hp.com, just like gcc and other shareware goodies. There are way too many production systems out there where the unknowledgeable sysadmin just modifies ordinary user IDs into 0 to solve the root distribution problems.

Bill Hassell, sysadmin

Sijesh · ‎03-05-2004

1)yes,not a production env.

2)No

3)We logon as a user then they su to root.

4)No

Jon Mattatall · ‎03-06-2004

1) Yes.
2) Yes and no. We authenticate to a single secured BSD box as individual users, su - there, and ssh as root to the servers.

If we use the console, it is as root.
3) See above.
4) sudo for some users (dba's)

A little knowledge is dangerous - none is absolutely terrifying!!!

D.Blond · ‎03-07-2004

1. Yes

2. logon with their own user and su -

3. n/a

4. sudo or super is not used.

best regards,

D.Blond

Sanjiv Sharma_1 · ‎03-07-2004

Hi,

1) Yes.

2) Yes.

3) N/A

4) No.

Thanks, Sanjiv

Everything is possible

Thierry Poels_1 · ‎03-07-2004

1. Yes
2. No
3. su - nsu - super
4. nsu - super

All unix flavours are exactly the same . . . . . . . . . . for end users anyway.

Mark Greene_1 · ‎03-08-2004

1. yes.

2. no.

3. Login with indiviual IDs and then su to root as needed.

4. we use sudo to give root priviledges to our help desk and data center for doing tasks such as resetting passwords and canceling print jobs. They initiate this by logging in via a special ID whose .profile launches a ksh script that has the sudo-enabled commands. They don't have commandline access.

mark

the future will be a lot like now, only later

Rita C Workman · ‎03-08-2004

1. Yes...there is only me and the consultant they hired to give me a break.

2. I do...bad habit, but then again up to a few short months ago....who else could I blame for mistakes...

3. I do give some limited rights to the helpdesk to reset others passwords, kill print jobs and the like...we use restricted Sam and I wrote them a little utility script to use.

4. No sudo, I use restricted Sam, and we are using a utiltiy for tracking these things called PowerBroker.

Your Welcome,
Rita

Thayanidhi · ‎03-08-2004

Hi,

1) Are system administrators in your environment given the root password?

Yes

2) If yes, do system administrators typically authenticate (login) to the system as root?

No, Login with their own id and su -

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

N/A

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

Not using any other utility

Attitude (not aptitude) determines altitude.

Keely Jackson · ‎03-08-2004

1) Yes

2) No. root access only allowed from the console

3) su -

4) sudo only used for non sys admins

Keely

Live long and prosper

Alzhy · ‎03-08-2004

Okay Brad, what really is the reason for this inquiry? Are we to expect some changes in the future as to how partitions are to be administered/managed?

IMHO, the ability for root to manage paritions (nPar/vPar) from any running vPar/nPar in a complex/server should be taken out. Instead, it should be relegated to some management node.

Hakuna Matata.

Sergejs Svitnevs · ‎03-08-2004

1) Only system admins have root passwords.
2) Yes (the restriction: root can log in via SSH or via console).
3) su -
4) The sudo is perfect tool for that.

Regards,
Sergejs

Tom Smith_9 · ‎03-08-2004

1. Yes.
2. Yes.
3. n/a
4. No (We planning to implement sudo in the near future.

Charlie Rubeor · ‎03-08-2004

1) Are system administrators in your environment given the root password?

No, but the password is kept in an envelope inside a locked drawer in my desk, just in case.

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

We use sudo, as well as restricted sam.

Brad Klein · ‎03-09-2004

Nelson,

Thanks for your reply. The reason we're asking this question is a result of customer feedback we've received regarding Partition Manager version 2 which was released on HP-UX 11i v2 (B.11.23). Version 2 of Partition Manager forces users to authenticate, regardless of whether the tool was launched from an authenticated session (e.g. launched from an ssh terminal or launched from SAM). If the user authenticates as root, then full read/write access is allowed. If the user authenticates as a non-root user, then read-only access is allowed. The specific feedback we've heard is in some environments, admins are not permitted to authenticate as root. So the purpose of this question was to determine how many customers are (or would be) affected by this behavior. We are also trying to determine how privileges are elevated in these types of environments so we can solve the problem.

Regarding your second point, this issue has been addressed in servers based on the HP sx1000 chipset. For more information, see the "HP System Partitions Guide" available from http://docs.hp.com. Within the guide, you should search for "nPartition Configuration Privilege" or "PARPERM".

Thanks again for your reply.

HP Partition Management Group

Shaikh Imran · ‎03-09-2004

1) YES
2) YES
3) --
4) I use su always

I'll sleep when i am dead.

Mauro Gatti · ‎03-09-2004

1) Are system administrators in your environment given the root password?

Yes, They know root password

2) If yes, do system administrators typically authenticate (login) to the system as root?

No, direct root login isn't allowed unless you are on console.

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

su -

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

Thanks in advance for your valuable responses,

HP Partition Management group.

Ubi maior, minor cessat!

PVR · ‎03-09-2004

1. Yes.

2. Not always. For normal administration tasks we use su - root.

3. N/A

4. NO.

Don't give up. Try till success...

Umapathy S · ‎03-09-2004

) YES

2)No. su to root. Not strictly followed.

3) su to root

4) sudo is provided for normal users to start/stop some applications/processes.

Umapathy

Arise Awake and Stop NOT till the goal is Reached!

Peter Nikitka · ‎03-10-2004

1) yes for the 'major ones'.

2) No, they login with their normal account.

3) Major admins su to root.
Specific tasks of other 'admins' are done by
'sudo' or self-developed programs with the
required s-bit.

4) Yes, sudo.

The Universe is a pretty big place, it's bigger than anything anyone has ever dreamed of before. So if it's just us, seems like an awful waste of space, right? Jodie Foster in "Contact"

John Donovan · ‎03-10-2004

1. Yes.
2. Login with regular id, su to root.
3. NA
4. sudo is used on all systems by DBA for limited commands. The SA is also a sudo user just in case something happens to the root account. The SA also has restricted SAM access as another alternative.

"I have not failed. I've just found 10,000 ways that won't work." - Thomas Edison

Donny Jekels · ‎03-10-2004

1) yes
2) login with own id, then pbrun to root
3) ssh as yourself.

"Vision, is the art of seeing the invisible"

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Authentication question from HP labs