Re: putting root account in FDS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

We have root local on the boxes, but are locking it out from ssh. Admins are being weened off of root and are allowed to ssh and sudo if they are in the right groups in ldap. I also put in a local ssh and sudo capable non-root local account on the boes I manage to deal with network outages and misonfigurations. ssh brute force and a known-name god account like root are just a nightmare that I intend to stay far far away from.
I do have a dummy, non-modifiable no password root entry in my username table so that if ldap becomes compromised, that's one avenue of attack that will be that much harder to exploit, and easy to detect. The problem is a good one, and I like the solution I'm using currently, which is partially inspired by the default setup of Mac OS X. No known (default) account names with login access. 

	ED.

On 2006, Jan 7, at 6:28 AM, Mike Jackson wrote:


Susan wrote:
I was just wondering what the community thoughts are on the subject of root accounts in LDAP vs. local. Some SAs in the company insist on keeping root passwords local in case of LDAP outage, saying that root is too critical to be handed over to FDS. Personally, I think it's no big deal. We have it local right now and every time an SA or a mgr quits, we've to login to every unix/ linux 
box and change root's password which is a real pain.
What are your thoughts on the subject? Are there some accounts that you insist on keeping local 
or is that line of thinking anachronistic?
How are you supposed to log into your machine to restart a crashed LDAP service, if the root account (and all other accounts) is only stored in LDAP? Chicken or egg?
On some boxes, you might need to give the root password to someone. On other boxes which are more sensitive, you don't want to give the root password to anyone. From a security perspective, having a single, enterprise-wide, root password is foolhardy and puts you down to the same security level as a windows "domain".
To consider putting the root account into LDAP is basically not a stupid question, because you may have been shortsighted by the perceived benefits (ease of management). To put it there, however, is not a very good idea, for the reasons outlined above. 


--
mike

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux