Post #318,000
12/1/09 9:03:39 AM
|
System security question
Suppose you have a shared web hosting account on a Linux server. You have shell access via SSH, so you have a UNIX username and password.
Now suppose you contact technical support because cron isn't working correctly.
Is there any legitimate reason they should need your password in order to investigate this?
I'm pretty sure I know the answer, but I wanted to check.
--
Drew
|
Post #318,002
12/1/09 9:16:12 AM
|
perhaps
if the tech has local root he can su - to your account to verify how cron is, isnt working. If he doesnt already have root access he prolly doesnt have enough experience to fix a cron problem.
Now having said that there is always a push for only certain people to have root or sudo and never giving that account up to the App/System support guys, that MAY be the case here
|
Post #318,006
12/1/09 9:40:37 AM
|
That's what I was thinking
If they don't trust him to have root on the box, odds are he doesn't know how to fix it anyway.
--
Drew
|
Post #318,008
12/1/09 1:09:00 PM
|
Their reply
I asked why they needed it, because giving out your password is poor security practice. Here's what they said: Please be informed, that we need your password in order to resolve the issue faster, because without the password we will have to send the ticket to another department, wait untill they provide this password. After that we will test and send to another department and it is taking a lot of time. So, we kindly ask you to provide us with your ssh password.
Thank you for your understanding. And the first guy I talked to didn't even know what crontab was. So I'll be damned if I'm letting him play around with my account. --
Drew
|
Post #318,009
12/1/09 1:28:36 PM
|
windows dweeb, dont let him have it
|
Post #318,010
12/1/09 2:00:08 PM
|
This. No admin ever needs your pw
Unless they specifically need to be you.
Which they don't.
|
Post #318,012
12/1/09 2:23:03 PM
|
Tier 1 guy isn't an admin
He just wants my password so he can follow the script they gave him and see what happens.
--
Drew
|
Post #318,014
12/1/09 2:52:24 PM
|
Sorry if he doesn't know what crontab/cronjob is...
No password for him ... please and thank you.
|
Post #318,013
12/1/09 2:51:40 PM
|
Re: System security question
Under no circumstances do you need to give out your password.
If they properly have sudo setup... he should be able to "sudo su - drook" with his.her password and then become you.
There is little to *ANY* chance that this person can fix your problem. Do not give them the password.
Any Admin worth his/her salt can become the target user easily without any effort.
|
Post #318,023
12/1/09 5:56:50 PM
|
Run away from them. Fast.
If they don't understand security enough to know this is an idiotic request, then you can't trust them to secure their servers properly *at all*.
And the BS about getting the password from another department... if you've changed it (which I hope you have), they will have to bruteforce it. Unless they've changed the passwd program to store it somewhere in the clear, which is unforgivably stupid. In which case, they don't care about their customers, only about their customers' money which is, unfortunately, not the same thing.
Wade.
Q:Is it proper to eat cheeseburgers with your fingers?
A:No, the fingers should be eaten separately.
|
Post #318,039
12/2/09 8:24:25 AM
|
Soon ... very soon
I'm still working through the import cleanup. But I'm getting close.
--
Drew
|
