Re: [PLUG] ClusterSSH & friends

[Matt Mossholder <matt@mossholder.com>]

On Wed, Aug 10, 2011 at 9:17 AM, Julien Vehent <julien@linuxwall.info> wrote:

On Wed, 10 Aug 2011 13:22:01 +0200, sean finney wrote:

how about just having a well-restricted NOPASSWD line in /etc/sudoers?

   Â%people_who_can_adduser ALL=(ALL) /path/to/your/adduser/command

no need for extra complication if it's not entirely necessary...

That's fine for recurring tasks, but what if you want to launch any root command in a secure manner on your entire environment ? I cannot list in advance what type of command I will have to launch, and I do not want a list of 50 commands with NOPASSWD.
Yet again, creating a user was just for the experiment. Most likely, I will have to edit files on all of those servers at once more than creating users.

For now, the env is still small (9+ servers) but it might grow passed 30 at some point. It's far from Google's size, but it's an interesting intellectual challenge :)



Julien

Sounds like you probably want to enable remote root access via SSH (with keys)... Â

Passing credentials around on the command line (even in variables!) is considered "not a good thing". For example, using the command on your blog to pass your password to sudo will expose your password via the ps command on the security-relay host, for a short amount of time, since bash is going to expand out the variable before launching the command.

 Â--Matt

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug