2

Referring to this PCI DSS 2.0 and ssh keys I want to ask

Is this PCI section 8.2 only for individual users or also valid if a user connects via ssh to a root account?

I prefer to ssh root@localhost instead of sudo, because you once unlock the key in ssh-agent and then can do passwordless actions on multiple servers.

With sudo you'll need to type your password on all servers, again and again (and it's the same, because ldap) frustrating at such a level that the password will end up in an expect script.

Gunstick
  • 21
  • 2

2 Answers2

2

8.2 is not your problem, 8.1 is. It's referenced in 8.2:

In addition to assigning a unique ID...

8.1 states:

Assign all users a unique ID before allowing them to access system components or cardholder data.

If you log directly in to the root account over the network, then there is no unique ID involved in accessing the system. The system audit logs do not provide any correlation between the activities performed by root, and the employee who performed them.

Most QSAs interpret 8.1 as disallowing direct root login for this reason.

With that said, nothing in DSS requires sudo to require passwords for authorized users who have already authenticated themselves to the system. Subject to your QSA's approval, you should be able to use NOPASSWD: to loosen the requirement for typing in passwords by authorized administrators.

gowenfawr
  • 72,355
  • 17
  • 162
  • 199
0

You can do an end-run around this by having your shell set to sudo root on login. Proper auditing will allow tracking of any processes to whoever originally logged in, thereby meeting the spirit of the PCI (attribution) while giving you the convenience of root. See also https://superuser.com/questions/306530/run-remote-ssh-command-with-full-login-shell

Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172