views:

118

answers:

1

Here at work, we have a non-root shared login account on UNIX that is used to admin a particular application. The policy is to not allow direct logins to the shared account; you must login as yourself and use the "su" command to change over to the shared account. This is for logging/security purposes.

I've started using SSH public/private key authentication with an agent to allow me to enter my password once a day and let the agent forwarding eliminate the password prompts for the rest of the day. It is really nice.

However, some systems are locked down so I really have to use the "su" command to get to the shared account. Arg! Back to entering passwords all the time!

Is there enough info logged with SSH public/private key authentication such that I could have a reasonable chance of requesting a policy change to allow remote logins to a shared account if public/private keys are used?

I had an admin look in /var/log/secure and it just says that a public key was accepted for a user account from a particular IP address. It didn't say who's public key it was, or who's private key did the authentication.

A: 

SSH public/private key authentication is separate from the host authentication. You are out of luck here. You could request though that members of particular group be allowed to run certain administrative commands via sudo without password - like the example bellow allows users in the secretaries group to manage accounts:


# file: /etc/sudoers
...
%secretaries    ALL= /usr/bin/adduser, /usr/bin/rmuser   NOPASSWD: ALL
...
Nikolai N Fetissov