[Freeipa-devel] Root accountability in a cluster

Simo Sorce ssorce at redhat.com
Fri Oct 19 17:32:50 UTC 2007 

Mathew,
there are a few ways to address this problem.

It is indeed correct that if you escalate privileges locally with sudo
you can't bring this around. I won't go in details but it would be very
difficult to do.

But there are other ways to do it.

1. a way can be for you to simply kinit to a root at BLAH principal that is
mapped to root, this will give you access as root to all machines. This
is not  convenient of course as it would reveal the root password.

2. make a sudo configuration that does not require a password for the
commands you need, this will work on all machines (provided they have
the same sudo config) and not requiring a password will just work. The
only caveat is that you have to call all commands you need via sudo.

3. add another auth layer to that bu limiting passwordless duo to
specific accounts, a kinit to xyzadmin at REALM will give you access to all
machines as xyzadmin and sudo will allow only him to issue passwordless
privileged commands.

3.1. #3 has the same caveat as 2, but if you are truly *evil* you can
"alias" the needed commands so that doing something like chkconfig will
actually result in "sudo chkconfig". This will be relatively harmless as
the account used is for "admin operations only".


Of course if you need to operate on localhost you can still do all this
and then just ssh localhost (the kerberos ticket will allow you
passwordless access to localhost as well).

Is there a scenario you have in mind where any of these would still not
be optimal ?

Simo.

On Thu, 2007-10-18 at 23:18 +0100, Matthew Booth wrote:
> If I want the actions of a root user to be accountable, I can insist
> that users log on as themselves and then use, eg, sudo to escalate their
> privileges. If I want to run a command as root on a cluster, though,
> this appears to fall down. I can implement kerberos authentication for
> the cluster so that I can seamlessly hop from machine to machine without
> reauthenticating. However, I cannot transfer my escalated privileges in
> a similar manner, without doing something like running sudo on every
> target node.
> 
> Is the following feasible:
> * SSH to root at foo.example.com
> * Present credentials for mbooth at EXAMPLE.COM
> * mbooth at EXAMPLE.COM is on an allowed list for root
> * I am logged in directly as root
> * My audit context is mbooth
> 
> I think all but the last step is probably possible, but I'm not sure of
> that. Is it possible? Is it sane? Is anybody working on it?
> 
> Thanks,
> 
> Matt
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

More information about the Freeipa-devel mailing list