From: Tony_Schloss@ao.uscourts.gov
Date: Mon Mar 01 2004 - 12:51:34 EST
First, thanks to the multitude who replied to my little survey. Among
other things, I learned how to better construct a survey for a nice
disparate mailing list <g>.
I had 22 folks from the list respond; since I've no idea how many are
actually on the list, I can't say if that's a good return or not (anyone
have a notion as to the number subscribed?). The results below are in
very round numbers: the first number is the percentage of the whole (all
22 respondents); the second numer is the percentage of those who
explicitly addressed that point or area. There weren't a lot of really
big surprises -- turns out that as I came out from the window-less (and
often joyless!) basement that is the intelligence world, it's not so
different in the sunshine (though sadly enough, I wound up back in the
basement again <sigh>).
All that said, here are the numbers I came up with:
Deny direct root login in any form:
36% (88%)
Allow root login with authorized_keys:
9% (55%, doesn't include those who use central login servers*)
Allow root login with password:
14% (60%)
Allow user login with authorized_keys:
41% (69%)
Allow user login with password:
27% (75%)
Force both authorized_keys *and* password:
4% (1 respondent; does allow root login)
Use sudo or equivalent:
36%
Use su:
18%
Use Kerberos:
9%
Use centralized server(s) for root logins:
14%
* the concept of the centralized server for root access is that one would
ssh into this server as yourself, su to root (to create an audit trail and
to re-authenticate at the root level), then have access to other servers,
as root, using authorized_keys (this box would presumably be locked down
considerably more heavily than others).
Noteworthy Notes, noteably well-worthy of noting:
- 1 respondent allows user-level authorized_keys login only, across the
board -- no direct root login ever, no passwords ever
- 1 respondent was just the opposite -- user-level passwords only, no
authorized_keys anywhere, ever, and no direct root login, ever.
- 1 respondent brought up the aspect of laptops that wind up missing --
laptops that have users' private keys on them; this respondent uses
(short-duration) passwords only across the board. Good point -- I hadn't
thought of laptops (they aren't too prevalent in the dark underworld), and
now I'm even more paranoid <g>.
- 1 respondent explicitly mantioned the further lack of safety factor
involved in having private keys stored on an NFS-shared home directory
structure. A very good point -- hadn't thought of this, since we don't
use NFS on our boxes, but one of the folks who's at the root of the whole
issue (no pun intended) relies on it heavily.
General Thoughts:
- one size doesn't fit all (and often, mileages *do* vary <g>); you do
what you need to do, depending on agency or company policy, your
comfortable level, and user comfort level (generally in that order)
- sudo was obviously popular -- most who responded that they use it, force
its use for administrative tasks. One respondent uses sudo exclusively
for any kind of root access requirement (except single-user mode, the only
place where a root-level logon is allowed or a password is used). Some
use of sudo was heavy, some was not.
- environment and legacy/history obviously dictates a lot of what we're
allowed to get away with, or not, in the security area; a small number of
respondents were stuck in an environment where they still had to allow
telnet with passwords running around naked all over the wire (they were
quite chagrined at this, however), and a couple were in the process of
disallowing this sort of practice (getting rid of telnet, ftp, etc.). But
we're stuck in the environment in which we're stuck, often.
- most were ambivalent towards ssh-agent, if addressed at all.
Hope this info is able to help someone else, as well; as for me, it
verified that I'm not insane (there's always question on that issue, is
there not?? <g>), it gave me a couple of options that I hadn't thought
about before, and it strengthened a couple of arguments that I already
had.
Again, my thanks for your time. Have a wonderful March!
Tony
~~~~~~~~~
Tony Schloss
(statements & opinions here are solely my own; they offer no reflection of
my employer, and all that jazz)
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:28:09 EDT