On Fri, 2004-06-04 at 13:55, Frank Steiner wrote:
When you have different logins with different passwords, hacking one does not mean that you can login to the other, too. Excpect when you install authorized keys between these two accounts. That's what we want to prevent.
Why don't you set up a TACACS+ serveror Kerberos5 server to handle authentication? Each user can have their own key, but all auth passed to the krb/tac server. On the auth server you can allow/deny access to various accounts/hosts etc, the configuration is limitless. i.e is this user allowed to access this machine - YES/NO is this user allowed to access this account - YES/NO is this user allowed to access this machine from this machine - YES/NO is this user allowed to access this machine from this machine with this account - YES/NO Then, don't every allow anyone direct root access, only for a very very selct few, i.e. you. Setup sudo correctly, because that way you can easily track who does what when and where, couipled with your auth server's logs, all your paranoia will be taken care of as you will be able to trace everything back, I mean everything. B