 | | | restrict remote logins to service accounts. | restrict remote logins to service accounts. 2006-01-17 - By Mark Waterhouse
Back
Have you considered using ssh keys. If you stop people from using
PasswordAuthentication and utilise ssh keys, you could then ensure that your
service accounts are used from cron etc; unless of course your admin had local
root access and decided to authenticate via the crontabs key :-/
Mark
-- -- Original Message -- --
From: David.Knight@(protected)
To: taroon-list@(protected)
Sent: Tuesday, January 17, 2006 3:35 PM
Subject: restrict remote logins to service accounts.
All,
I have an issue with Admins/DBA's logging into my servers directly as service
accounts such as user 'oracle'. I have had a hard time getting people to adopt
the use of sudo. I am at the point where I need to restrict direct logins to
these accounts. My goal is to force people to sudo to the service accounts from
there assigned user account. I only allow ssh/scp connections to my servers. I
have tried the sshd.config option "AllowUsers" but this also restricts scp
logins. I can;t restrict this for automated processes run under the service
accounts use scp. So the only thing I need to restrict is direct remote "ssh"
logins.
Any suggestions would be great.
-David Knight
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- -----
--
Taroon-list mailing list
Taroon-list@(protected)
https://www.redhat.com/mailman/listinfo/taroon-list
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859 (See http://iso-8859.ora-code.com)-1">
<META content="MSHTML 6.00.2800.1522" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Have you considered using ssh keys. If you stop
people from using PasswordAuthentication and utilise ssh keys, you could then
ensure that your service accounts are used from cron etc; unless of course your
admin had local root access and decided to authenticate via the crontabs
key :-/</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Mark</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT:
#000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">-- -- Original Message -- -- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=David.Knight@(protected)
href="mailto:David.Knight@(protected)">David.Knight@(protected)</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=taroon-list@(protected)
href="mailto:taroon-list@(protected)">taroon-list@(protected)</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Tuesday, January 17, 2006 3:35
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> restrict remote logins to
service accounts.</DIV>
<DIV><BR></DIV><BR><FONT face=sans-serif size=2>All,</FONT> <BR><FONT
face=sans-serif size=2>I have an issue with Admins/DBA's logging into my
servers directly as service accounts such as user 'oracle'. I have had a hard
time getting people to adopt the use of sudo. I am at the point where I need
to restrict direct logins to these accounts. My goal is to force people to
sudo to the service accounts from there assigned user account. I only allow
ssh/scp connections to my servers. I have tried the sshd.config option
"AllowUsers" but this also restricts scp logins. I can;t restrict this for
automated processes run under the service accounts use scp. So the only thing
I need to restrict is direct remote "ssh" logins.</FONT> <BR><FONT
face=sans-serif size=2>Any suggestions would be great.</FONT> <BR><BR><FONT
face=sans-serif size=2>-David Knight</FONT> <BR>
<P>
<HR>
<P></P>--<BR>Taroon-list mailing
list<BR>Taroon-list@(protected)<BR>https://www.redhat.com/mailman/listinfo
/taroon-list</BLOCKQUOTE></BODY></HTML>
--
Taroon-list mailing list
Taroon-list@(protected)
https://www.redhat.com/mailman/listinfo/taroon-list
|
|
|