1 |
On 7/15/22 11:42 PM, J. Roeleveld wrote: |
2 |
> True, properly done automation is necessary to make our lives easier. |
3 |
|
4 |
#truth |
5 |
|
6 |
> I tried this approach in the past and some levels of automation still |
7 |
> use this, but for being able to login myself, I found having different |
8 |
> keys become cumbersome and I ended up never actually replacing them. |
9 |
|
10 |
I'm curious what you found to be cumbersome. |
11 |
|
12 |
I make extensive use of the client SSH configuration file |
13 |
(~/.ssh/config) such that I don't need to worry about which key is used |
14 |
for which host. This means that anything that uses ssh / sftp / scp |
15 |
/just/ /works/ (tm) using the contents of the configuration file. |
16 |
|
17 |
> The goal is to have whichever authentication system used, the |
18 |
> passwords/keys to be replaced often with hard to brute-force |
19 |
> passwords/keys. I can currently replace all passwords on a daily |
20 |
> basis and not have a problem with accessing any system. |
21 |
|
22 |
I agree in concept. Though I question the veracity of that statement |
23 |
when things aren't working normally. E.g. system is offline for X hours |
24 |
do to hardware failure or an old version restored from backup that is |
25 |
now out of sync with the central system. |
26 |
|
27 |
> For normal use, most systems don't need to be logged into a shell. For |
28 |
> the few where this is needed, individual accounts exists. But, no |
29 |
> individual account is a member of "wheel". For admin access, there are |
30 |
> admin accounts on the machines. (they are all named individually and |
31 |
> you won't find the same admin-account-username on more then 1 system) |
32 |
|
33 |
I've wondered about having the account for UID / GID 0 be named |
34 |
something other than root. But the testing that I did showed that there |
35 |
were too many things that assumed "root". :-/ |
36 |
|
37 |
Though I did find that I was able to successfully convert a test VM to |
38 |
use something other than root and the proof of concept was a success. |
39 |
It's just that the PoC was too much effort / fragile to be used in |
40 |
production. |
41 |
|
42 |
I find that the wheel group is mostly for su and a few other commands. |
43 |
But the concept of you must be a member of a group or have special |
44 |
permissions applied directly to your account is conceptually quite |
45 |
similar to being a member of the wheel group. As such I don't think the |
46 |
abstraction makes much difference other than obfuscation. |
47 |
|
48 |
> True, but this needs to run from the client. Not the server. Which |
49 |
> means it will need to be triggered manually and not scheduled. |
50 |
|
51 |
The algorithm could be refactored such that it is run from the server. |
52 |
E.g. if you can ensure that the old key is replaced with the new key, it |
53 |
can safely be done server side. I did this for a few colleagues that |
54 |
had forgotten the passphrase for their old private key and needed their |
55 |
new public key to be put into place. |
56 |
|
57 |
> I don't even have sudo installed on most systems, only where it's |
58 |
> needed for certain scripts to work and there it's only used to avoid |
59 |
> "setuid" which is an even bigger issue. |
60 |
|
61 |
I tend to prefer sudo's security posture where people need to know |
62 |
/their/ password. Meaning that there was no need for multiple people to |
63 |
know the shared target user's password like su does. |
64 |
|
65 |
If I was in a different environment, I'd consider Kerberized versions of |
66 |
su as an alternative. |
67 |
|
68 |
|
69 |
|
70 |
-- |
71 |
Grant. . . . |
72 |
unix || die |