[Freeipa-devel] Maintaining Identity in a large cluster
Matthew Booth
mbooth at redhat.com
Thu Jun 26 22:42:34 UTC 2008
Dmitri Pal wrote:
> If I use kerberised SSH I will log into one node with real user ID, then
> escalate to root.
> Now I have both user ticket and root ticket. So to log into the rest of
> the nodes I can just do the ssh as root and for the rest it would be
> just kerberos SSO.
> Every node has to be a principal in the KDC.
> But there will be an audit trail of this SSO on the KDC. Will that be a
> solution?
I'm not entirely sure I follow the kerberos scenario there. But even
assuming it works, this wouldn't be a terribly good solution.
On a single machine I can set the audit system to log whenever an
auditable event happens, and tell me who did it. When you move this into
a cluster, you lose this context. While the information might
theoretically still be there, you are throwing away one of the most
useful features of the audit system. You are also making automated
processing of the audit logs substantially harder and more error-prone.
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
More information about the Freeipa-devel
mailing list