[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Per domain/host options for sshd?



On Fri, 2004-06-04 at 13:55, Frank Steiner wrote:
> When you have different logins with different passwords, hacking one
> does not mean that you can login to the other, too. Excpect when you
> install authorized keys between these two accounts. That's what we
> want to prevent.

Why don't you set up a TACACS+ serveror Kerberos5 server to handle
authentication?

Each user can have their own key, but all auth passed to the krb/tac
server.
On the auth server you can allow/deny access to various accounts/hosts
etc, the configuration is limitless.

i.e 
is this user allowed to access this machine - YES/NO
is this user allowed to access this account - YES/NO
is this user allowed to access this machine from this machine - YES/NO
is this user allowed to access this machine from this machine with this
account - YES/NO

Then, don't every allow anyone direct root access, only for a very very
selct few, i.e. you.

Setup sudo correctly, because that way you can easily track who does
what when and where, couipled with your auth server's logs, all your
paranoia will be taken care of as you will be able to trace everything
back, I mean everything.

B


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here