[TriLUG] Shared user account best practices

Paul G. Szabady paul at thyservice.com
Thu Jul 10 13:15:03 EDT 2008 

Generally speaking, it's not a trust issue.  More times than not, it's 
an accountability issue.  In other words, how easy can you track down 
the person that performed a specific task when multiple people have 
access to the un/pw.

Warren Myers wrote:
> Depending on the total number of servers you have to worry about, it may be
> worth looking at some of the server management tools out there. (Disclaimer,
> I work for a company that does exactly that - on a scale writ large.)
>
> A thought could be to wrap the allowed utility calls in a shell script (rx
> perms only) that snags off the output of the commands into syslog or
> similar?
>
> For accountability, eventually you're going to have to trust the folks
> running scripts / doing jobs to be NOT assholes.
>
> WMM
>
> On Thu, Jul 10, 2008 at 12:43 PM, Shawn Hood <shawnlhood at gmail.com> wrote:
>
>   
>> Doh!  Yes, I failed to mention that we will be using pre-shared keys.
>> I guess I should be more clear:  Are there other practices that are
>> preferred for such tasks?  Should I be approaching this problem from
>> another angle that will improve security and accountability?
>>
>> Shawn
>>
>> On Thu, Jul 10, 2008 at 12:31 PM, Warren Myers <volcimaster at gmail.com>
>> wrote:
>>     
>>> Can you use a pre-shared ssh key, and lock down the user on the remote
>>>       
>> box
>>     
>>> (either directly, or using ldap/nis/whatever) so it can only do the tasks
>>> you allow?
>>>
>>> WMM
>>>
>>> On Thu, Jul 10, 2008 at 12:22 PM, Shawn Hood <shawnlhood at gmail.com>
>>>       
>> wrote:
>>     
>>>> All,
>>>>
>>>> Shared user account best practices?  Seemingly a misnomer.  :)
>>>>
>>>> At any rate, I was hoping to get some guidance on the following issue.
>>>>  My organization needs user accounts to be used by scripts for
>>>> automated tasks (e.g. deploying an application build to a server,
>>>> logging into to check certain aspects of a system).  I've seen
>>>> configurations where certain users are only allowed to execute a
>>>> certain set of commands via SSH instead of actually getting a shell.
>>>> This seems like a step in the right direction.  Any other ideas?
>>>>
>>>>
>>>> --
>>>> Shawn Hood
>>>> 910.670.1819 m
>>>> --
>>>> TriLUG mailing list        :
>>>>         
>> http://www.trilug.org/mailman/listinfo/trilug
>>     
>>>> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
>>>>
>>>>         
>>>
>>> --
>>>
>>> Warren Myers
>>> http://warrenmyers.com
>>> --
>>> TriLUG mailing list        :
>>>       
>> http://www.trilug.org/mailman/listinfo/trilug
>>     
>>> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
>>>
>>>       
>>
>> --
>> --
>> Shawn Hood
>> 910.670.1819 m
>> --
>> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
>> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
>>
>>     
>
>
>
>   

-- 
--
Paul
@ Thy Service

More information about the TriLUG mailing list