On Apr 4, 2007, at 2:30 AM, Rob van der Heij wrote:
I know some installations automated maintaining copies of authorized_keys (at least for root) by replication from a master so that all required public keys were there when needed. But the security policy was that the user should be able to have his public key removed when compromised. That's hard to do when you don't know where it is kept (and a compromised system may be modified not to remove the key when the master is changed). Having it in one place makes it possible for the user to manage it.
This is what we do currently. However, we're a small enough organization that the number of key changes is fairly small, and the amount of log output and manual file inspection I have to keep tabs on to determine that cfengine really is doing what I asked it to is reasonable. If I had to manage thousands of machines and hundreds of users with privileged access this would probably be infeasible.
It may be helpful to distinguish between daily use and exceptional access to systems. I worked with folks who moved all their daily system admin stuff into cfengine and other managed processes. That avoided the need for support staff to login on production systems, and doing so would need to be justified by a problem ticket. If you can get that far the requirements are different.
For what it''s worth, I really don't recommend cfengine. It's not that it doesn't work--once you have it set up it works tolerably well--but that its error messages range from unhelpful to pathologically mendacious. Specifically, "I can't find the target directory" should not masquerade as a key authentication failure. I have heard that puppet is nice for solving the same problem. However, I went to LISA last year with high hopes of finding a solution I liked, and was disappointed to learn that the whole area of configuration management is a giant minefield of competing philosophies. The next major revision I do will probably use puppet for file distribution and scheduled process maintenance (like, "HUP the nameserver if the master zone file has changed"), but just use good old makefiles to push out all other tasks (like user provisioning or deprovisioning). Adam ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
