> I misunderstood. To that, I would've answered "don't," but if you want
> to allow direct remote root access, that's your call.
We don't allow this on production machines but there are a few back at
the office that require root logins for some scripts and tools.
Thanks again, this project is sha
On Fri, 12 Feb 2010, Sean Carolan wrote:
> > Set up a local root user on every box. I highly recommend not relying
> > on LDAP for that, or you're a bit screwed if, for example, your network
> > cable goes bad.
>
> Right, I just made my AllowGroups line look like this:
>
> AllowGroups root oper
> Set up a local root user on every box. I highly recommend not relying
> on LDAP for that, or you're a bit screwed if, for example, your network
> cable goes bad.
Right, I just made my AllowGroups line look like this:
AllowGroups root operations
AllowUsers appears to trump AllowGroups so this
> Is "invalid user" all you're seeing in the log? Generally, at least with
> OpenSSH, if the user is being denied because it's not in a valid group,
> the logs will say so. They'll also generally tell you if it's because it
> couldn't find the user at all (often with exactly what it did to try to
>
On Fri, 12 Feb 2010, Sean Carolan wrote:
> > For example, we might have a group called "db-ssh" that defines a user
> > group allowed to access database servers. Then we just make sure DB
> > hosts get "AllowGroups db-ssh" added to their SSH configs. Plopping a
> > user into the db-ssh group in
On Tue, Feb 2, 2010 at 8:57 PM, Steve Bernacki wrote:
> On 2/2/2010 1:18 PM, Morris, Patrick wrote:
>> [snip]
>> We've found it a lot easier to manage than having to add an entry per
>> host to user records, but then our servers tend to fall into
>> easily-defined groups, which may not be the case
On 2/2/2010 1:18 PM, Morris, Patrick wrote:
> [snip]
> We've found it a lot easier to manage than having to add an entry per
> host to user records, but then our servers tend to fall into
> easily-defined groups, which may not be the case for everyone, and the
> way we do it also relies on the only
Sean Carolan wrote:
>> It's not clear to me what OS/distribution you're doing this on, but for
>> the most part we have cfengine run authconfig on our Red Hat boxes to
>> set up the basic LDAP auth (it's a one-liner if done that way), and then
>> push around the sshd_config file.
>>
>
> We hav
> It's not clear to me what OS/distribution you're doing this on, but for
> the most part we have cfengine run authconfig on our Red Hat boxes to
> set up the basic LDAP auth (it's a one-liner if done that way), and then
> push around the sshd_config file.
We have a combination of centos and Red H
Sean Carolan wrote:
>> This allows to to control who has access to the systems directly from
>> ldap. Add the entitlement and they have access. Remove the entitlement
>> and their access is revoked.
>>
>> My $0.02 CDN
>>
>
> Terry, this is perfect, just what I was looking for. I like being
> Perhaps some of you have gone down this path before and can offer some
> helpful suggestions. I need to convert a group of servers to LDAP
> authentication. Most of the user accounts on these systems have
> consistent uids and gids across all the servers.
One last question for the peanut galle
Sean Carolan wrote:
>> Thanks for the info, the sshd_config file may be the way to go. We
>> already use cfengine so it would be fairly easy to implement and push
>> out to all our servers.
>>
>
> Speaking of cfengine, I would like to use this to push out the
> /etc/pam.d/system-auth and othe
> This allows to to control who has access to the systems directly from
> ldap. Add the entitlement and they have access. Remove the entitlement
> and their access is revoked.
>
> My $0.02 CDN
Terry, this is perfect, just what I was looking for. I like being
able to control access from the LDAP
We added an entitlement for all those users that need access to certain
systems, but should not be able to access other systems ...
We use the eduPerson schema, but I'll just give the basics ...
On the users ldap record, add the entitlement
hostEntitlement: hostname.company.com
This is a multi-
> Thanks for the info, the sshd_config file may be the way to go. We
> already use cfengine so it would be fairly easy to implement and push
> out to all our servers.
Speaking of cfengine, I would like to use this to push out the
/etc/pam.d/system-auth and other files required for ldap
authentica
Sean Carolan wrote:
>> You can either continue as usual with an authorized_keys file in their
>> home directories, or look at the LPK patch available for OpenSSH that
>> allows storing public keys in LDAP.
>>
>> Having the users in LDAP has absolutely no effect on how key-based
>> logins work with
> You can either continue as usual with an authorized_keys file in their
> home directories, or look at the LPK patch available for OpenSSH that
> allows storing public keys in LDAP.
>
> Having the users in LDAP has absolutely no effect on how key-based
> logins work with SSH, but it does open up s
Sean Carolan wrote:
>> #2
>> a.there is also a setting in /etc/ldap.conf called pam_groupdn. This
>> lets you define an LDAP object with multiple membe attributes to
>> control who can login. I find it easy to use
>> b. SSH can be told to only accept logins from a posix group (same deal
>> just han
> #2
> a.there is also a setting in /etc/ldap.conf called pam_groupdn. This
> lets you define an LDAP object with multiple membe attributes to
> control who can login. I find it easy to use
> b. SSH can be told to only accept logins from a posix group (same deal
> just handled at a different part o
2010/2/2 Sean Carolan :
> Perhaps some of you have gone down this path before and can offer some
> helpful suggestions. I need to convert a group of servers to LDAP
> authentication. Most of the user accounts on these systems have
> consistent uids and gids across all the servers. There are a fe
Perhaps some of you have gone down this path before and can offer some
helpful suggestions. I need to convert a group of servers to LDAP
authentication. Most of the user accounts on these systems have
consistent uids and gids across all the servers. There are a few
exceptions but the people who
21 matches
Mail list logo