HPE Community
Operating System - HP-UX
1833787 Members
2412 Online
110063 Solutions
New Discussion

Authentication question from HP labs

 
SOLVED
Go to solution
Mobeen_1
Esteemed Contributor

‎03-02-2004 09:33 PM

‎03-02-2004 09:33 PM

Re: Authentication question from HP labs

Brad,
The System Administrators in our environment are granted the root password. How ever due to security concerns we follow some of the points listed below

1. Telnets for root user is disabled
2. All System Administrators have to log on
as themselves and then do an 'su' to
root.

Yes, we do make use of utilities like sudo and super on a case by case basis to grant some one with elevated privileges.

regards
Mobeen
Reply
Victor BERRIDGE
Honored Contributor

‎03-02-2004 09:38 PM

‎03-02-2004 09:38 PM

Re: Authentication question from HP labs

Hello,

1) Yes

2) Yes in some circumstances and at the console

3) The people who have some privileges but do not belong to the sysadm team use restricted sam or sudo

4) Yes we use sudo and su2. Mostly for maintenance scripts given to operators or cron files (stop/start separate oracle instances, backup/restore utilies etc...)

All the best
Victor
Reply
Stefan Farrelly
Honored Contributor

‎03-02-2004 09:42 PM

‎03-02-2004 09:42 PM

Re: Authentication question from HP labs

1) Yes.

2) root is disabled. All administrators must log in using their own account first (eg. ops_xx), then su - rootxx. Each have their own rootxx logins with separate audit trails for each.

3) n/a

4) No, we dont use sudo or super or anything similar. Weve found the above procedure in 2) above to be very effective. Non administrators should never need, or would be given, root password or access to any root priveleged commands via sudo.



Im from Palmerston North, New Zealand, but somehow ended up in London...
Reply
Clemens van Everdingen
Honored Contributor

‎03-02-2004 09:51 PM

‎03-02-2004 09:51 PM

Re: Authentication question from HP labs

Hi,

No we do not use the root password.
We have access to the root password through permission of our manager. But just in case of urgent needs !

We use sudo to perform the sys admin tasks.

Kind regards,
Clemens
The computer is a great invention, there are as many mistakes as ever, but they are nobody's fault !
Reply
David Burgess
Esteemed Contributor

‎03-02-2004 10:35 PM

‎03-02-2004 10:35 PM

Re: Authentication question from HP labs

1) Are system administrators in your environment given the root password?

On some systems we do have the password. Others require sign out by higher management and justification. It is changed when we are done.

2) If yes, do system administrators typically authenticate (login) to the system as root?

Only allowed on the console. Always su for auditing.

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

Not allowed.

Regards,

Dave.
Reply
Chris Wilshaw
Honored Contributor

‎03-03-2004 01:19 AM

‎03-03-2004 01:19 AM

Re: Authentication question from HP labs

1) Are system administrators in your environment given the root password?

Yes.

2) If yes, do system administrators typically authenticate (login) to the system as root?

No.

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

We all have individual ID's, then switch to root

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

We have "super" installed on most systems, allowing our support staff to carry out basic functions (password resets, ID purges etc). Some of these functions are also scripted to prevent them from affecting restricted accounts (including our ID's, root, and the DBA master ID).
Reply
Geoff Wild
Honored Contributor

‎03-03-2004 01:39 AM

‎03-03-2004 01:39 AM

Re: Authentication question from HP labs

We have 9 Sys Admins.

1) Yes, we all have the root password(s).

2) No - login as root not possible - unless on console.

3) N/A

4) For Operators, we use Restricted SAM as well as utility suexec for some tasks.

We also maintain a separate .sh_history for each admin (from root's .profile):

# Set up logging
HISTFILE=${HOME}/.sh_history_`who am i|awk '{ print $1}'`
date >>$HISTFILE
export HISTFILE
HISTSIZE=500
export HISTSIZE


Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Reply
doug mielke
Respected Contributor

‎03-03-2004 01:44 AM

‎03-03-2004 01:44 AM

Re: Authentication question from HP labs

I've enjoyed reading these answers.

All sysadmins and our lead DBA have root pword.

admins almost always use root,

4) we don't use sudo or super for anything.
Reply
Borislav Perkov
Respected Contributor

‎03-03-2004 01:59 AM

‎03-03-2004 01:59 AM

Re: Authentication question from HP labs

1) Are system administrators in your environment given the root password?

Yes.

2) If yes, do system administrators typically authenticate (login) to the system as root?

Root access to the console is allowed only.

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

#su -

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

No
Reply
Jeroen Peereboom
Honored Contributor

‎03-03-2004 03:31 AM

‎03-03-2004 03:31 AM

Re: Authentication question from HP labs

1. Yes
2. Mostly yes
3. Use 'su -'
4. sudo is used, but not for admins!

JP.
Reply
Peter Leddy_1
Esteemed Contributor

‎03-03-2004 03:37 AM

‎03-03-2004 03:37 AM

Re: Authentication question from HP labs

1) Yes

2) No, it is not allowed

3 & 4) In separate and isolated environments su, sudo and super are all used
Reply
Camel_1
Valued Contributor

‎03-03-2004 03:39 AM

‎03-03-2004 03:39 AM

Re: Authentication question from HP labs

1) Yes

2) Must use su

4) We grant su to some user for managing their process which require root privillage.

Thanks,

Simon
Reply
Karthik S S
Honored Contributor

‎03-03-2004 03:55 AM

‎03-03-2004 03:55 AM

Re: Authentication question from HP labs

1)YES
2)YES (Though people are discouraged to login as root to perform non-administrative tasks, it has become a habit for us to type root whenever we see a login prompt :-))
3) -
4) I have used sudo to delicate certain permissions to other users.


-Karthik S S
For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn
Reply
John Payne_2
Honored Contributor

‎03-03-2004 04:20 AM

‎03-03-2004 04:20 AM

Re: Authentication question from HP labs

1) No, but I can get it if I REALLY need to...

2) NA

3) We get root-equivilent rights (like sudo and su) to do stuff

4) We use CA's eTrust Access Control, which contains a sudo and and 'protected' su. (sesudo and sesu)


Hope it helps
John
Spoon!!!!
Reply
Paula J Frazer-Campbell
Honored Contributor

‎03-03-2004 04:43 AM

‎03-03-2004 04:43 AM

Re: Authentication question from HP labs

Brad

1) Are system administrators in your environment given the root password?

YES


2) If yes, do system administrators typically authenticate (login) to the system as root?

NO

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

SU TO ROOT, SUDO OR RESTRICTED SAM.

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

WE USE SUDO AND RESTRICTED SAM

Paula
If you can spell SysAdmin then you is one - anon
Reply
Doug Burton
Respected Contributor

‎03-03-2004 05:13 AM

‎03-03-2004 05:13 AM

Re: Authentication question from HP labs

1) Yes.
2) No root login (using telnet for example). We login as root when using the GPS/console.
3) We login as a "typical" user and su to root.
4) We do not use "sudo" or other software to perform root functions.


Reply
doug hosking
Esteemed Contributor

‎03-03-2004 05:18 AM

‎03-03-2004 05:18 AM

Re: Authentication question from HP labs

1) Are system administrators in your environment given the root password?
Yes

2) If yes, do system administrators typically authenticate (login) to the system as root?
No, except on non-production machines

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?
sudo

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.
sudo
Reply
Michael Schulte zur Sur
Honored Contributor

‎03-03-2004 05:28 AM

‎03-03-2004 05:28 AM

Re: Authentication question from HP labs

Hi,

1) we are three admins here and we all have the root password.

2) I prefer to work as root and usually login in as such and su to other users.

We do not use sudo or equivalent means.

greetings,

Michael

Reply
Alzhy
Honored Contributor

‎03-03-2004 05:35 AM

‎03-03-2004 05:35 AM

Re: Authentication question from HP labs

If this Question is regarding a possible change on how Partition management (nPars?) is possibly to change - then me thinks it should so that nPar Administration cannot be done on any running nPar.

I think HP should change this (both for vPars and nPars). I suggest an Partition Amdinistration suite that probably be "assigned" to one nPar or host so each nPar/vPar root account cannot change configuration -- similar to what they have on Sun partitionalble servers.


1) Are system administrators in your environment given the root password?

Yes.

2) If yes, do system administrators typically authenticate (login) to the system as root?

No. Only Console Root Access. All else use SU.
3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?
SUDO

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

SUDO.
Hakuna Matata.
Reply
John Kittel
Trusted Contributor

‎03-03-2004 07:37 AM

‎03-03-2004 07:37 AM

Re: Authentication question from HP labs

1) yes

2) no

3) login as self then su to root

4) no other utils used. evaluating sudo for this purpose.
Reply
Hazem Mahmoud_3
Respected Contributor

‎03-03-2004 08:27 AM

‎03-03-2004 08:27 AM

Re: Authentication question from HP labs

1) Yes.
2) Yes.

We do also have a tool called Power Broker. We have not yet fully utilized it's capabilities, but we plan on doing that to allow the operators access to certain areas and functionalities of the system.

-Hazem
Reply
Colin Topliss
Esteemed Contributor

‎03-03-2004 10:32 AM

‎03-03-2004 10:32 AM

Re: Authentication question from HP labs

1) Yes. We have 2nd line (who are technical operators) and 3rd line (the back-room people who look at the really odd problems).

2) Usually log into own account then su or use sudo. We have secure tty defined so it is not possible to log in directly as root. Logging in is either through telnet or SSH (SSH preferred, but sometimes this doesn't work so we resort to telnet - have to use this to access GSPs anyway).

GSPs all connected to network and password protected.

Access to different networks controlled by SecureID, so authentication is required before a connection can be made. This sometimes screws up SSH, because you are not presented with a chance to authenticate (Radius servers don't support SSH protocol).

3) - N/A

4) We use sudo, though we are not entirely happy with it. There are several huge security holes that can be exploited if you are not really careful. We are wary of using other tools to control passwords where there is a risk that access to a system could be lost if the tool used stops working. We do not have physical access to the machines.

Access to systems overall is controlled by LDAP (we have profiles which allow users to access certain systems only).
Reply
Yogeeraj_1
Honored Contributor

‎03-03-2004 03:38 PM

‎03-03-2004 03:38 PM

Re: Authentication question from HP labs

hi,

Below my replies:

1) Are system administrators in your environment given the root password?
NO. Known only to HP-UX server administrator and of course the IT Business Unit Leader.

2) If yes, do system administrators typically authenticate (login) to the system as root?
The administrator in charge uses it mostly. Avoids the pain of remembering the passwords for all the accounts used for the different installations.

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?
su - root.

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.
NO. considering it for the future.

regards
Yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
Reply
Jeff Carlin
Frequent Advisor

‎03-04-2004 02:40 AM

‎03-04-2004 02:40 AM

Re: Authentication question from HP labs

1) Yes, the core group of admins have root password.

2) No.

3) We force logon as a user then they su to root.

4) Yes, for secondary admins, DBA's, etc... we use SUDO to grant certain commands.



Where wisdom is called for, force is of little use. --Of course, a hammer does wonders for relieving stress.
Reply
Alan Turner
Regular Advisor

‎03-04-2004 02:49 AM

‎03-04-2004 02:49 AM

Re: Authentication question from HP labs

1) Yes
2) No
3) They typically log on as themselves then su, or use set-UID scripts or programs
4) We don't use either of these utilities, but we do make extensive use of set-UID scripts, and also use a bespoke program which acts as a wrapper for the setresuid system call (checks the script name parameter for matching validation rules, then calls setresuid to set all 3 ID values to zero, then runs the script, needed for some utilities which try to be clever and look at the real user ID rather than the effective user ID).
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.