Should sshd be fixed to handle NIS+ keylogin
Bob Proulx
bob at proulx.com
Tue Jan 15 15:51:03 EST 2002
> To get around the problem of having to change the root password every time a
> sys admin leaves the organization Solaris is hardened as follows.
Gratuitous editorial remark: Wouldn't it be better to avoid having a
widely known root password and use sudo instead which does user based
authentication? That is what we do and it works well.
> Restricted permissions on su so only certain groups can run it.
>
> That way its really difficult to log in as root even if the root password is
> known.
This sounds like a reinvention of a the "wheel group". You might want
to do a search in google of 'site:gnu.org "wheel group"' which will
turn up an interesting news discussion about this topic.
IMNHO it really just means you need to two passwords, root's plus
someone in the wheel group as well. And if you were root before then
it should be easy to have set up an account in the wheel group that
you know the password. That way when you do leave the company you are
all set to be disgruntled at a moments notice and break back in
later. ;-)
Bob
More information about the openssh-unix-dev
mailing list