First, thanks to the multitude who replied to my little survey. Among other things, I learned how to better construct a survey for a nice disparate mailing list <g>. I had 22 folks from the list respond; since I've no idea how many are actually on the list, I can't say if that's a good return or not (anyone have a notion as to the number subscribed?). The results below are in very round numbers: the first number is the percentage of the whole (all 22 respondents); the second numer is the percentage of those who explicitly addressed that point or area. There weren't a lot of really big surprises -- turns out that as I came out from the window-less (and often joyless!) basement that is the intelligence world, it's not so different in the sunshine (though sadly enough, I wound up back in the basement again <sigh>). All that said, here are the numbers I came up with: Deny direct root login in any form: 36% (88%) Allow root login with authorized_keys: 9% (55%, doesn't include those who use central login servers*) Allow root login with password: 14% (60%) Allow user login with authorized_keys: 41% (69%) Allow user login with password: 27% (75%) Force both authorized_keys *and* password: 4% (1 respondent; does allow root login) Use sudo or equivalent: 36% Use su: 18% Use Kerberos: 9% Use centralized server(s) for root logins: 14% * the concept of the centralized server for root access is that one would ssh into this server as yourself, su to root (to create an audit trail and to re-authenticate at the root level), then have access to other servers, as root, using authorized_keys (this box would presumably be locked down considerably more heavily than others). Noteworthy Notes, noteably well-worthy of noting: - 1 respondent allows user-level authorized_keys login only, across the board -- no direct root login ever, no passwords ever - 1 respondent was just the opposite -- user-level passwords only, no authorized_keys anywhere, ever, and no direct root login, ever. - 1 respondent brought up the aspect of laptops that wind up missing -- laptops that have users' private keys on them; this respondent uses (short-duration) passwords only across the board. Good point -- I hadn't thought of laptops (they aren't too prevalent in the dark underworld), and now I'm even more paranoid <g>. - 1 respondent explicitly mantioned the further lack of safety factor involved in having private keys stored on an NFS-shared home directory structure. A very good point -- hadn't thought of this, since we don't use NFS on our boxes, but one of the folks who's at the root of the whole issue (no pun intended) relies on it heavily. General Thoughts: - one size doesn't fit all (and often, mileages *do* vary <g>); you do what you need to do, depending on agency or company policy, your comfortable level, and user comfort level (generally in that order) - sudo was obviously popular -- most who responded that they use it, force its use for administrative tasks. One respondent uses sudo exclusively for any kind of root access requirement (except single-user mode, the only place where a root-level logon is allowed or a password is used). Some use of sudo was heavy, some was not. - environment and legacy/history obviously dictates a lot of what we're allowed to get away with, or not, in the security area; a small number of respondents were stuck in an environment where they still had to allow telnet with passwords running around naked all over the wire (they were quite chagrined at this, however), and a couple were in the process of disallowing this sort of practice (getting rid of telnet, ftp, etc.). But we're stuck in the environment in which we're stuck, often. - most were ambivalent towards ssh-agent, if addressed at all. Hope this info is able to help someone else, as well; as for me, it verified that I'm not insane (there's always question on that issue, is there not?? <g>), it gave me a couple of options that I hadn't thought about before, and it strengthened a couple of arguments that I already had. Again, my thanks for your time. Have a wonderful March! Tony ~~~~~~~~~ Tony Schloss (statements & opinions here are solely my own; they offer no reflection of my employer, and all that jazz) _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Mon Mar 1 13:01:05 2004
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:30 EST