I read Christian Pearce’s article on Managing Root Access and I
had a few questions. I would have written to Christian directly, but
since he’s active on this list, I figured I might as well post here and
get everyone’s input.
This seems like a pretty good strategy for automating root
access management using cfengine, however, a couple of things come to mind:
- This might work in a small shop
where the same group of Sysadmins have root on all boxes.
- This could even work in a large
shop if you use something like SingleCopy nirvana to distribute the
authorized_keys based on server role or department.
What I would really like to know is this:
- Has anyone implemented an
authorized_keys distribution system that uses editfiles rather than copy?
- Do you think it would be
possible to build an authorized_keys file on the fly if you had each
sysadmin’s public key as a line in an editfiles statement?
- Taking this even further, could
a sysadmin’s public key automatically be copied from their home
directory and updated on the master cfengine repository to be included in
an editfiles statement. (This last action would allow anyone to
regenerate their ssh key using ssh-keygen and have cfengine automatically
update all authorized_keys files on all servers they have access to)
I think the most difficult thing would be trying to turn the
id_rsa.pub files (public keys) into an importable .cf file that could be
included in an editfiles statement for #3 above. Or is there an easier
way to do this that I’m missing.
Thanks in advance for all your input.
Luke
Youngblood
Senior System Administrator
PhoneCharge, Inc.
(203) 732-7639 x279
http://www.phonechargeinc.com
|
_______________________________________________
Help-cfengine mailing list
Help-cfengine@gnu.org
http://lists.gnu.org/mailman/listinfo/help-cfengine
