Re: su using SecurID cards

On Mon, 27 Feb 2006 11:38:47 -0600, Chris Cox
<ccox_nopenotthis@xxxxxxxxxxx> Gave us:

jamesromeongmail.com wrote:
I am being forced to require SecurID cards for su to root. I already
use them for all logins to the system. I am currently running 9.1, but
will soon upgrade the system to 10.0 or 10.1.]

Ok...


Here is the problem:
I can easily require SecurID in /etc/pam.d/su, but that would allow
anyone with a card to su to root.

No. You're thinking about this incorrectly. The fact that
the user is "on" the system is proof that they used their
SecureID and "are" who they say they are (assuming you've
already covered that).

So you merely have to add the user to sudo (not su)... in our
case, we have written a script called rootsh and allow
certain logins the ability to become root via rootsh, The
rootsh script logs all input and output to a file (so we
know what each of us does). Obviously, once root, we can
destroy anything.. so it isn't a security thing, it's
a tracking thing used to let the right hand know what
the left hand is doing (or has done).

I'd protect the su command by "wheeling" it so that
it can't be executed by a normal user. You can use
a modified rootsh to allow users to get a login shell
for other users besides root (with the same logging/tracking
feature.. and a bit more secure too).


The "approved" fix is to create shadow accounts that have ID 0. For
example, if I am jar, I would also have an account jarsu.

Massive security violation. Don't do this.


The problem with this is that Yast2 does not allow multiple accounts
with the same userID. I can change them manually, but then the Yast2
user-admin tool refuses to work. How do I get around this?


Don't do it this way. Allow users to become root via sudo or
some other kind of role based setup.

I can email you our rootsh script if you like and you
can experiment with it.. we use it on AIX, HPUX, Solaris
and Linux. Works well.

Can you post it in alt.binaries.misc or the like?
.

Relevant Pages

  • Re: su using SecurID cards
    ... use them for all logins to the system. ... anyone with a card to su to root. ... certain logins the ability to become root via rootsh, ... The "approved" fix is to create shadow accounts that have ID 0. ...
    (alt.os.linux.suse)
  • Re: FreeBSD 4.3 RELEASE and -STABLE allows telnet root logins?
    ... FreeBSD 4.3 RELEASE and -STABLE allows telnet root logins? ... > UNIX is like the sights on a loaded gun. ...
    (FreeBSD-Security)
  • FW: FW: FW: Adding OpenBSD sudo to the FreeBSD base system?
    ... Yes, it gives you a huge advantage, assuming you disable direct root ... "> Regarding su vs. direct login, you should use su, it doesn't give ... And if you follow up by disabling direct root logins, ... The biggest advantage of sudo, though, is less security-related and more ...
    (FreeBSD-Security)
  • Reasoning behind a default remote root login ?
    ... using ssh. ... remote root logins alltogether. ... Does anyone know why OpenBSD allows remote root ...
    (comp.unix.bsd.openbsd.misc)
  • Re: Tracking User activity on 4.3.3
    ... "rootsh" is probably the least bad solution for this. ... I am sure you understand that by giving root privilleges to a user, ... > In order to keep a close watch on things, I need to accomplish the following: ...
    (AIX-L)