On Sunday, 01/18/2009 at 07:51 EST, Michael MacIsaac/Poughkeepsie/i...@ibmus wrote:
> So let me ask this to the list - what are the rules regarding key-based > authentication? Is this approach not authorized even though no root (or > any other) passwords goes over the wire? Or is it just the rule that the > /root/.ssh/authorized_keys file never exist? It isn't about passwords, per se. Rather, many (most?) sites prohibit remote login of root *by any means*. > If there is no key-based authentication for root allowed, can there be for > non-root users (not sure how much this will help). > > One thing I'm looking for is a way that a central Linux system can pull > important data (/etc/fstab /etc/zipl.conf, > /etc/sysconfig/network/ifcfg-qeth-*), and run certain commands remotely on > other Linux systems without the need for someone sitting typing a password > many times. > > Systems management tasks need to be automated to scale the number of > servers a single admin can care for, but security rules in certain shops > seem to be preventing that. There must be some intelligent compromise > (and it's probably involves sudo) A system management task needs to have a clearly defined role and access rights. - What system files is it reading? - What system files is it writing? - What privileged commands/APIs does it need? Yes, it probably involves sudo. Your app gets the same privs as a remote admin would get and has to do thing the same way the remote admin would do them. Alan Altmark z/VM Development IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
