All;
I have an open challenge for anyone at the office. Find me something that
sudo cannot do, and I will give you 5$.
So far, no one has collected any money from me.


Chris
----- Original Message -----
From: "David Burgess" <burgess@neonramp.com>
To: <kenn@h4.dion.ne.jp>
Cc: <port-i386@netbsd.org>
Sent: Monday, August 20, 2001 10:04 AM
Subject: Re: PermitRootLogin in SSHd (WAS: Re: Telnet logins)


> kenn@h4.dion.ne.jp wrote:
> >
> > On Mon, 20 Aug 2001 08:34:43 -0500, David Burgess <burgess@neonramp.com>
wrote:
> > > Do what I do (22 machines, 8 admins).
> > >
> > > - Give each person a login account on the machines in question.
> > > - Make each person a member of the wheel group.
> > > - Disable root login via ssh.
> > > - Have them log in as themselves.
> > > - Have them 'su'.
> > >
> > > This way, my root passwords are kept one layer away from the Internet
> > > and I know who did what as root, since the 'su' is logged.
> >
> > Maybe I'm missing something here, but isn't it safer to have them
> > 'sudo' instead of 'su'?  That way, you never have to give the real
> > root password out to anyone.  Plus, you can restrict what they can do
> > based on their skill level, etc.  I'm not 100% sure but I think sudo
> > is or can be logged, too.
>
> 'sudo' would probably be better, but most of the things these folks
> to need real root access (editting config files, modifying various
> user parameters, editting scripts, etc.).  A lot of these things
> defy the easy use of sudo.
>
> Still, it is a good reminder.
>
> Dave
>