I don't see why this couldn't happen. A few m4 macros and block editing in editfiles would make it a breeze.
Russell On Tue, May 17, 2005 at 12:38:19PM -0400, Luke Youngblood wrote: > I read Christian Pearce's article on Managing Root Access > <http://www.sysnav.com/index.php?articles> and I had a few questions. > I would have written to Christian directly, but since he's active on > this list, I figured I might as well post here and get everyone's input. > > > > This seems like a pretty good strategy for automating root access > management using cfengine, however, a couple of things come to mind: > > > > * This might work in a small shop where the same group of > Sysadmins have root on all boxes. > * This could even work in a large shop if you use something like > SingleCopy nirvana to distribute the authorized_keys based on server > role or department. > > > > What I would really like to know is this: > > > > 1. Has anyone implemented an authorized_keys distribution system > that uses editfiles rather than copy? > 2. Do you think it would be possible to build an authorized_keys > file on the fly if you had each sysadmin's public key as a line in an > editfiles statement? > 3. Taking this even further, could a sysadmin's public key > automatically be copied from their home directory and updated on the > master cfengine repository to be included in an editfiles statement. > (This last action would allow anyone to regenerate their ssh key using > ssh-keygen and have cfengine automatically update all authorized_keys > files on all servers they have access to) > > > > I think the most difficult thing would be trying to turn the id_rsa.pub > files (public keys) into an importable .cf file that could be included > in an editfiles statement for #3 above. Or is there an easier way to do > this that I'm missing. > > > > Thanks in advance for all your input. > > Luke Youngblood > Senior System Administrator > PhoneCharge, Inc. > (203) 732-7639 x279 > <http://www.phonechargeinc.com> http://www.phonechargeinc.com > > > > _______________________________________________ > Help-cfengine mailing list > Help-cfengine@gnu.org > http://lists.gnu.org/mailman/listinfo/help-cfengine _______________________________________________ Help-cfengine mailing list Help-cfengine@gnu.org http://lists.gnu.org/mailman/listinfo/help-cfengine
