actually, you can get your public key signed by certification authorities.
That would be ideal, but there aren't many people out there getting their
keys certified.
On Mon, Jul 09, 2001 at 06:58:24PM -0700, ozymandias G desiderata wrote:
> On Mon, Jul 09, 2001 at 01:23:29PM -0600, Hubert Chan wro
On Mon, 09 Jul 2001, Jason Healy wrote:
> About the best you can hope for is to log to another machine (so
> sudoers can't hose your logfiles), and be vigilant about checking what
> they do.
>
> Anyway, to your point about passwords, I say again (do we detect a
> theme?): use PAM and make them u
On Mon, Jul 09, 2001 at 01:23:29PM -0600, Hubert Chan wrote:
> PS. If you're going to PGP-sign your messages, you might want to upload
> your key to a server, so that we can check the sig.
At this late date, I'm a little confused as to what the benefit of key
servers are, and I'm even a little bi
On Mon, Jul 09, 2001 at 04:18:10PM -0800, Ethan Benson wrote:
> On Mon, Jul 09, 2001 at 09:33:12AM -0400, Jason Healy wrote:
> > machine. The machine was locked in the server room, so the only
> > people who could get to the root password (and the console) were the
> > people with keys. If you ne
Let's say, hypothetically, that I'm going to a large, chaotic security
conference somewhere in the United States' glorious and decadent
Southwestern republics in a few days' time. Further, let's stipulate
that folks will be doing lots of interesting things on the network
there that I might want to
On Mon, Jul 09, 2001 at 09:33:12AM -0400, Jason Healy wrote:
>
> Our solution to this (multiple admins on a single box) was to write
> the root password (some horribly cryptic thing) down on a piece of
> paper and put it in a sealed envelope, which we then stuck to the
> machine. The machine was
On Mon, Jul 09, 2001 at 01:23:29PM -0600, Hubert Chan wrote:
> PS. If you're going to PGP-sign your messages, you might want to upload
> your key to a server, so that we can check the sig.
At this late date, I'm a little confused as to what the benefit of key
servers are, and I'm even a little b
from `man zsh`:
Alias expansion is done on the shell input before any
other expansion except history expansion. Therefore, if
an alias is defined for the word foo, alias expansion may
be avoided by quoting part of the word, e.g. \foo. But
there is no
On Mon, Jul 09, 2001 at 04:18:10PM -0800, Ethan Benson wrote:
> On Mon, Jul 09, 2001 at 09:33:12AM -0400, Jason Healy wrote:
> > machine. The machine was locked in the server room, so the only
> > people who could get to the root password (and the console) were the
> > people with keys. If you n
Let's say, hypothetically, that I'm going to a large, chaotic security
conference somewhere in the United States' glorious and decadent
Southwestern republics in a few days' time. Further, let's stipulate
that folks will be doing lots of interesting things on the network
there that I might want t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> "Jason" == Jason Healy <[EMAIL PROTECTED]> writes:
Jason> Our solution to this (multiple admins on a single box) was to
Jason> write the root password (some horribly cryptic thing) down on a
Jason> piece of paper and put it in a sealed envelope,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> "Jason" == Jason Rashaad Jackson <[EMAIL PROTECTED]> writes:
Jason> I'm going slowly insane trying to convince Apache to pass a
Jason> user/pass to pam_krb4, thereby validating a user for entrance
Jason> into a secure directory. Is it too much
On Mon, Jul 09, 2001 at 09:33:12AM -0400, Jason Healy wrote:
>
> Our solution to this (multiple admins on a single box) was to write
> the root password (some horribly cryptic thing) down on a piece of
> paper and put it in a sealed envelope, which we then stuck to the
> machine. The machine was
<[EMAIL PROTECTED]> writes:
> On Mon, Jul 09, 2001 at 08:23:43PM +0100, Tim Haynes wrote:
>
> > Note that
> > alias '\/bin/su'="echo eek"
> >
> > comments accordingly on one's ability to bypass *that*, too.
> >
> > Woops. :)
>
> Have you tried it? :-) At least with my version of bash
> I'm going slowly insane trying to convince Apache to pass a user/pass to
> pam_krb4, thereby validating a user for entrance into a secure directory. Is
> it too much to hope for that it's this simple?
I haven't used that module before, but I would suggest making sure you have
a /etc/pam.d/other
from `man zsh`:
Alias expansion is done on the shell input before any
other expansion except history expansion. Therefore, if
an alias is defined for the word foo, alias expansion may
be avoided by quoting part of the word, e.g. \foo. But
there is n
On Mon, Jul 09, 2001 at 08:23:43PM +0100, Tim Haynes wrote:
> Note that
> alias '\/bin/su'="echo eek"
>
> comments accordingly on one's ability to bypass *that*, too.
>
> Woops. :)
Have you tried it? :-) At least with my version of bash (2.05.0(1)-release)
it won't do it. Or rather it'
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> "Jason" == Jason Healy <[EMAIL PROTECTED]> writes:
Jason> Our solution to this (multiple admins on a single box) was to
Jason> write the root password (some horribly cryptic thing) down on a
Jason> piece of paper and put it in a sealed envelope
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> "Jason" == Jason Rashaad Jackson <[EMAIL PROTECTED]> writes:
Jason> I'm going slowly insane trying to convince Apache to pass a
Jason> user/pass to pam_krb4, thereby validating a user for entrance
Jason> into a secure directory. Is it too much
<[EMAIL PROTECTED]> writes:
> > > alias /bin/su='/var/tmp/hax0rSu'
> >
> > i would consider this a bug in the shell.
>
> Note that \/bin/su would avoid the alias.
Note that
alias '\/bin/su'="echo eek"
comments accordingly on one's ability to bypass *that*, too.
Woops. :)
~Tim
-
<[EMAIL PROTECTED]> writes:
> On Mon, Jul 09, 2001 at 08:23:43PM +0100, Tim Haynes wrote:
>
> > Note that
> > alias '\/bin/su'="echo eek"
> >
> > comments accordingly on one's ability to bypass *that*, too.
> >
> > Woops. :)
>
> Have you tried it? :-) At least with my version of bash
On Sat, Jul 07, 2001 at 03:16:39AM -0800, Ethan Benson wrote:
> On Sat, Jul 07, 2001 at 10:31:56AM +, Jim Breton wrote:
> > On Sat, Jul 07, 2001 at 01:56:56AM -0800, Ethan Benson wrote:
> > > which may not work if you always type the
> > > full path to /bin/su anyway.
> >
> > Hoping he doesn
> I'm going slowly insane trying to convince Apache to pass a user/pass to
> pam_krb4, thereby validating a user for entrance into a secure directory. Is
> it too much to hope for that it's this simple?
I haven't used that module before, but I would suggest making sure you have
a /etc/pam.d/othe
On Mon, Jul 09, 2001 at 08:23:43PM +0100, Tim Haynes wrote:
> Note that
> alias '\/bin/su'="echo eek"
>
> comments accordingly on one's ability to bypass *that*, too.
>
> Woops. :)
Have you tried it? :-) At least with my version of bash (2.05.0(1)-release)
it won't do it. Or rather it
<[EMAIL PROTECTED]> writes:
> > > alias /bin/su='/var/tmp/hax0rSu'
> >
> > i would consider this a bug in the shell.
>
> Note that \/bin/su would avoid the alias.
Note that
alias '\/bin/su'="echo eek"
comments accordingly on one's ability to bypass *that*, too.
Woops. :)
~Tim
On Sat, Jul 07, 2001 at 03:16:39AM -0800, Ethan Benson wrote:
> On Sat, Jul 07, 2001 at 10:31:56AM +, Jim Breton wrote:
> > On Sat, Jul 07, 2001 at 01:56:56AM -0800, Ethan Benson wrote:
> > > which may not work if you always type the
> > > full path to /bin/su anyway.
> >
> > Hoping he does
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm going slowly insane trying to convince Apache to pass a user/pass to
pam_krb4, thereby validating a user for entrance into a secure directory. Is
it too much to hope for that it's this simple?
Oh, yeah, my info:
Apache 1.3.19 compiled from source
As far as trusting their password choices, I'm not too worried about
password guessing attacks; if an admin gets a password past pam_cracklib.so
(without overriding it as root), I have doubts that someone's going to
guess the password. Admins using the same password for multiple accounts
is anothe
At 994683614s since epoch (07/09/01 11:00:14 -0400 UTC), Micah Anderson wrote:
> Having said that we do it this way as well, I'll point out one flaw which
> particularly nags at me. Andreas said, "a) allowing convenience by allowing
> the user to effectively choose their own root passwd." which rou
I agree with this assessment of Andreas' - in fact this is what we use in
our organization. Unfortunately we don't have the luxury of fully trusting
admins, so I am a little paranoid about giving out full-on sudo to people,
but this is mostly a personnel issue having to do with the nature of the
in
At 994696370s since epoch (07/09/01 04:32:50 -0400 UTC), Juha J?ykk? wrote:
> One question raises however: If I have multiple uid=0 accounts,
> will any of their passwords suffice as "root" password when entering
> single user mode? Obviously sudo will not do here, so I will need a
> root password,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm going slowly insane trying to convince Apache to pass a user/pass to
pam_krb4, thereby validating a user for entrance into a secure directory. Is
it too much to hope for that it's this simple?
Oh, yeah, my info:
Apache 1.3.19 compiled from sourc
As far as trusting their password choices, I'm not too worried about
password guessing attacks; if an admin gets a password past pam_cracklib.so
(without overriding it as root), I have doubts that someone's going to
guess the password. Admins using the same password for multiple accounts
is anoth
At 994683614s since epoch (07/09/01 11:00:14 -0400 UTC), Micah Anderson wrote:
> Having said that we do it this way as well, I'll point out one flaw which
> particularly nags at me. Andreas said, "a) allowing convenience by allowing
> the user to effectively choose their own root passwd." which ro
I agree with this assessment of Andreas' - in fact this is what we use in
our organization. Unfortunately we don't have the luxury of fully trusting
admins, so I am a little paranoid about giving out full-on sudo to people,
but this is mostly a personnel issue having to do with the nature of the
i
At 994696370s since epoch (07/09/01 04:32:50 -0400 UTC), Juha J?ykk? wrote:
> One question raises however: If I have multiple uid=0 accounts,
> will any of their passwords suffice as "root" password when entering
> single user mode? Obviously sudo will not do here, so I will need a
> root password
Nice little storm of a chain I managed to start here... Quite off
the original topic, mainly, where I trust the users. Many good points
have been noted and basically all of them have been argued both pro and
con. I will do a little summary here:
1) Some people like sudo, some think it is not s
Nice little storm of a chain I managed to start here... Quite off
the original topic, mainly, where I trust the users. Many good points
have been noted and basically all of them have been argued both pro and
con. I will do a little summary here:
1) Some people like sudo, some think it is not
38 matches
Mail list logo
