Matt Mossholder on 10 Aug 2011 07:08:17 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] ClusterSSH & friends

On Wed, Aug 10, 2011 at 9:17 AM, Julien Vehent <> wrote:
On Wed, 10 Aug 2011 13:22:01 +0200, sean finney wrote:
how about just having a well-restricted NOPASSWD line in /etc/sudoers?

   Â%people_who_can_adduser ALL=(ALL) /path/to/your/adduser/command

no need for extra complication if it's not entirely necessary...

That's fine for recurring tasks, but what if you want to launch any root command in a secure manner on your entire environment ? I cannot list in advance what type of command I will have to launch, and I do not want a list of 50 commands with NOPASSWD.
Yet again, creating a user was just for the experiment. Most likely, I will have to edit files on all of those servers at once more than creating users.

For now, the env is still small (9+ servers) but it might grow passed 30 at some point. It's far from Google's size, but it's an interesting intellectual challenge :)


Sounds like you probably want to enable remote root access via SSH (with keys)... Â

Passing credentials around on the command line (even in variables!) is considered "not a good thing". For example, using the command on your blog to pass your password to sudo will expose your password via the ps command on the security-relay host, for a short amount of time, since bash is going to expand out the variable before launching the command.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --