[Freeipa-devel] Root accountability in a cluster

Matthew Booth mbooth at redhat.com
Fri Oct 19 21:27:03 UTC 2007 

On Fri, 2007-10-19 at 13:32 -0400, Simo Sorce wrote:
> Mathew,
> there are a few ways to address this problem.
> 
> It is indeed correct that if you escalate privileges locally with sudo
> you can't bring this around. I won't go in details but it would be very
> difficult to do.
> 
> But there are other ways to do it.
> 
> 1. a way can be for you to simply kinit to a root at BLAH principal that is
> mapped to root, this will give you access as root to all machines. This
> is not  convenient of course as it would reveal the root password.
> 
> 2. make a sudo configuration that does not require a password for the
> commands you need, this will work on all machines (provided they have
> the same sudo config) and not requiring a password will just work. The
> only caveat is that you have to call all commands you need via sudo.
> 
> 3. add another auth layer to that bu limiting passwordless duo to
> specific accounts, a kinit to xyzadmin at REALM will give you access to all
> machines as xyzadmin and sudo will allow only him to issue passwordless
> privileged commands.
> 
> 3.1. #3 has the same caveat as 2, but if you are truly *evil* you can
> "alias" the needed commands so that doing something like chkconfig will
> actually result in "sudo chkconfig". This will be relatively harmless as
> the account used is for "admin operations only".
> 
> 
> Of course if you need to operate on localhost you can still do all this
> and then just ssh localhost (the kerberos ticket will allow you
> passwordless access to localhost as well).
> 
> Is there a scenario you have in mind where any of these would still not
> be optimal ?

I was looking for unconfined root on all servers. Allowing passwordless
sudo execution of any command would work, but would be extremely ugly.
I'd like to keep it as a fallback.

I was hoping that auth_to_local (man krb5.conf) might be of use to me. I
haven't tried this out, but I got the impression I could map
mbooth at EXAMPLE.COM to root. Will that work? If so, would it still be
feasible to set an audit context representing mbooth at EXAMPLE.COM ?

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/c60e0927/attachment.sig>

More information about the Freeipa-devel mailing list