# User Management

## jon123

I am wondering what people do for user management of both sys/admins and users?  

The model I use is a little dirty....  I have one box that I have all my sys/admin user accounts.  They have sudo access.  The ssh-key for root on that box is on all the other boxes.  So the process for administration is simply

ssh to entrybox -> sudo -> ssh to any server.

It works great for a small group.. I am concerned about growth and hidden backdoors.

I am wondering if there is a better way?  

Is it common to actually not give sys/admins sudo?

Is it common to use LDAP or NIS and have people login as their user everywhere? and disable root over ssh?

Is it common to only use sshd on an internal network?

ThanksLast edited by jon123 on Tue Feb 17, 2009 9:14 pm; edited 1 time in total

----------

## alunduil

In the network I work with, we have (depending on the need) LDAP authentication for users.  We don't allow root to ssh in, and the root password is different for every box.  Everyone must su from their account (and also be in the wheel group) to get root privileges.  Works fairly well, and if you have more questions or configuration concerns just post back.

Regards,

Alunduil

----------

## jon123

Thanks for the fast reply.  I am not to familiar with LDAP configurations.

What do you use for LDAP management?

Do you use SASL or Kerberos for communication?

Do you have redundancy for LDAP? N+1?

Is there built in logging of who logged in where?

Thanks again.

PS.  Does anyone use Puppet to do user management?

----------

## alunduil

 *jon123 wrote:*   

> What do you use for LDAP management?

 

For management we use a variety of home built tools and phpldapadmin (available in portage).

 *jon123 wrote:*   

> Do you use SASL or Kerberos for communication?

 

We use SASL.

 *jon123 wrote:*   

> Do you have redundancy for LDAP? N+1?

 

Yes, we have a master slave setup.

 *jon123 wrote:*   

> Is there built in logging of who logged in where?

 

That is handled by the application.  What LDAP logs is the queries that get performed, and from what box.

Regards,

Alunduil[/quote]

----------

