[unisog] Admin Access to Servers

Russell Fulton r.fulton at auckland.ac.nz
Fri Nov 17 01:42:46 GMT 2006

Addam Schroll wrote:
> The current concept goes so far as to require each admin to carry a
> separate laptop from their normal machine in order to allow remote
> access from home or work.  Unfortunately, the extra machine and
> draconian policies have the admins up in arms.
I don't get the requirement for a second machine.  

All our admin have laptops that they are expected to take home and use
for remote access as well as for work on site (most of us have big
screens and keyboards at our desks).  We operate a VPN concentrator and
an SSH gateway into our network. 

We are in the middle of a project to require 2FA on all servers that
hold sensitive data.  Currently the ssh gateway requires 2fa and we have
plans to implement a new group on the VPN that will require 2fa, users
in this group will get addresses from a different pool to 'ordinary'
users and only addresses from this pool will be allowed through the
firewall into the secure network.  To connect to machines with sensitive
data admins will have to use 2fa again to log in.  On Unix boxes we also
require 2fa for sudo.

2FA does a reasonable job of mitigating keylogging and other password
stealing threats. 

We have had some grumbles from admins about requiring multiple 2FA log
ins (worst case 3 -- ssh gateway, account login, sudo) with up to a
minute wait for the token to role over (we are using RSA).  We did
consider 'crypto card' which had a feature that allow you to get the 
next number without waiting, the down side is that it is easy to get the
card out of sync by pressing the next button too many times (five ?). 
This requires the  tokens to be physically returned to base for
resynching.   We had visions of kids playing with keys and discovering
that they can change the number by squeezing the token -- hello! Mum(or
Dad;) is now locked out!  We were also worried about the less robust
nature of the tokens with a physical switch in them.

Cheers, Russell.

More information about the unisog mailing list