1 |
On Sunday, 17 July 2022 21:10:52 CEST Grant Taylor wrote: |
2 |
> On 7/15/22 11:42 PM, J. Roeleveld wrote: |
3 |
> > True, properly done automation is necessary to make our lives easier. |
4 |
> |
5 |
> #truth |
6 |
> |
7 |
> > I tried this approach in the past and some levels of automation still |
8 |
> > use this, but for being able to login myself, I found having different |
9 |
> > keys become cumbersome and I ended up never actually replacing them. |
10 |
> |
11 |
> I'm curious what you found to be cumbersome. |
12 |
|
13 |
If I have 1 desktop and 1 laptop, that means 2 client machines. |
14 |
Add 5 servers/vms. |
15 |
That means 10 ssh-keys per person to manage and keep track off. |
16 |
When a laptop gets replaced, I need to ensure the keys get removed from the |
17 |
authorized_keys section. Same goes for when the ssh-keys need refreshing. |
18 |
Which, due to the amount, I never got round to. |
19 |
|
20 |
I actually have more then the amount mentioned above, the amount of ssh-keys |
21 |
gets too much to manage without an automated tool to keep track of them and |
22 |
automate the changing of the keys. I never got the time to create that tool |
23 |
and never found anything that would make it easier. |
24 |
|
25 |
> I make extensive use of the client SSH configuration file |
26 |
> (~/.ssh/config) such that I don't need to worry about which key is used |
27 |
> for which host. This means that anything that uses ssh / sftp / scp |
28 |
> /just/ /works/ (tm) using the contents of the configuration file. |
29 |
|
30 |
When hosts can get added and removed regularly for testing purposes, this |
31 |
requires a management tool. |
32 |
|
33 |
> > The goal is to have whichever authentication system used, the |
34 |
> > passwords/keys to be replaced often with hard to brute-force |
35 |
> > passwords/keys. I can currently replace all passwords on a daily |
36 |
> > basis and not have a problem with accessing any system. |
37 |
> |
38 |
> I agree in concept. Though I question the veracity of that statement |
39 |
> when things aren't working normally. E.g. system is offline for X hours |
40 |
> do to hardware failure or an old version restored from backup that is |
41 |
> now out of sync with the central system. |
42 |
|
43 |
Down due to hardware issues means the password-refresh fails for this host. |
44 |
Backup-restore scripts have a step added to update the passwords updated to |
45 |
whatever is in the vault before the system is brought back online. |
46 |
|
47 |
I actually considered these and made sure it can handle this. The most common |
48 |
issue is a network link being down due to ISP issues. |
49 |
|
50 |
> > For normal use, most systems don't need to be logged into a shell. For |
51 |
> > the few where this is needed, individual accounts exists. But, no |
52 |
> > individual account is a member of "wheel". For admin access, there are |
53 |
> > admin accounts on the machines. (they are all named individually and |
54 |
> > you won't find the same admin-account-username on more then 1 system) |
55 |
> |
56 |
> I've wondered about having the account for UID / GID 0 be named |
57 |
> something other than root. But the testing that I did showed that there |
58 |
> were too many things that assumed "root". :-/ |
59 |
|
60 |
You could put "root" without a valid password, making it impossible to "su -" |
61 |
into and add a 2nd uid/gid 0 account with a valid password. I know of 1 |
62 |
organisation where they had a 2nd root account added which could be used by |
63 |
the orgs sys-admins for emergency access. (These were student owned servers |
64 |
directly connected to the internet) |
65 |
|
66 |
> Though I did find that I was able to successfully convert a test VM to |
67 |
> use something other than root and the proof of concept was a success. |
68 |
> It's just that the PoC was too much effort / fragile to be used in |
69 |
> production. |
70 |
> |
71 |
> I find that the wheel group is mostly for su and a few other commands. |
72 |
> But the concept of you must be a member of a group or have special |
73 |
> permissions applied directly to your account is conceptually quite |
74 |
> similar to being a member of the wheel group. As such I don't think the |
75 |
> abstraction makes much difference other than obfuscation. |
76 |
|
77 |
I expect the "wheel" group to only be for changing into "root", that's what |
78 |
it's advertised as. |
79 |
|
80 |
> > True, but this needs to run from the client. Not the server. Which |
81 |
> > means it will need to be triggered manually and not scheduled. |
82 |
> |
83 |
> The algorithm could be refactored such that it is run from the server. |
84 |
> E.g. if you can ensure that the old key is replaced with the new key, it |
85 |
> can safely be done server side. I did this for a few colleagues that |
86 |
> had forgotten the passphrase for their old private key and needed their |
87 |
> new public key to be put into place. |
88 |
|
89 |
Still needs the clients to be actually running when the server runs the |
90 |
script. Or it needs to be added to a schedule and gets triggered when the |
91 |
client becomes available. This would make the scheduler too complex. |
92 |
|
93 |
> > I don't even have sudo installed on most systems, only where it's |
94 |
> > needed for certain scripts to work and there it's only used to avoid |
95 |
> > "setuid" which is an even bigger issue. |
96 |
> |
97 |
> I tend to prefer sudo's security posture where people need to know |
98 |
> /their/ password. Meaning that there was no need for multiple people to |
99 |
> know the shared target user's password like su does. |
100 |
|
101 |
I agree, but root-access is only needed for specific tasks, like updates. |
102 |
Most access is done using service-specific accounts. I only have 2 where users |
103 |
have shell-accounts. |
104 |
|
105 |
> If I was in a different environment, I'd consider Kerberized versions of |
106 |
> su as an alternative. |
107 |
|
108 |
I'd love to implement Kerberos, mostly for the SSO abilities, but haven't |
109 |
found a simple to follow howto yet which can be easily adjusted so it can be |
110 |
added to an existing environment. |
111 |
|
112 |
-- |
113 |
Joost |