Re: [Freeipa-devel] Maintaining Identity in a large cluster

[Matthew Booth <mbooth redhat com>]

Dmitri Pal wrote:
> If I use kerberised SSH I will log into one node with real user ID, then 
> escalate to root.
> Now I have both user ticket and root ticket. So to log into the rest of 
> the nodes I can just do the ssh as root and for the rest it would be 
> just kerberos SSO.
> Every node has to be a principal in the KDC.
> But there will be an audit trail of this SSO on the KDC. Will that be a 
> solution?

I'm not entirely sure I follow the kerberos scenario there. But even 
assuming it works, this wouldn't be a terribly good solution.

On a single machine I can set the audit system to log whenever an 
auditable event happens, and tell me who did it. When you move this into 
a cluster, you lose this context. While the information might 
theoretically still be there, you are throwing away one of the most 
useful features of the audit system. You are also making automated 
processing of the audit logs substantially harder and more error-prone.

Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490