[sudo-users] Re: share a sudoers file
Russell Van Tassell
russell+sudo-users at loosenut.com
Tue Nov 22 13:03:50 EST 2005
On Tue, Nov 22, 2005 at 11:52:43AM -0600, Mark F wrote:
> DietrichT at schneider.com wrote:
> >We also manage our sudoers file in the same manner that Russel described
> >below. We have one master copy, and then we use a cron script to scp the
> >master file to all of our other servers.
> >
> >Thanks,
> >Tim
>
> SCP doesn't sound like a good option to me as every server I'd be
> copying it too would have a different password (all of which ) I'd have
> to hard code into a file. It would have to be the root password as well.
> Those passwords change every month so then I'd have to remember to
> update the file. Sounds like a big security hole and a lot of hassle.
If you use scp, the implication there is that you use a public/private
key mechanism (see ssh-keygen) and then use RSA-type authenication to
allow a given user to login from a specific machine without a password
(ie. using the secured identity).
> I'm thinking about aliasing visudo to a script that run's visudo and
> then scps the new sudoers file to each server, requesting a password for
> each. Means I can't cron job it, but I'd sleep better at night.
Well, not to make you paranoid, but there are certainly similar sorts
of arguments against not aliasing or replacing visudo (perhaps use
another command). Remember when the file is scp'd, it'll most likely
need to be done by root or root equivalent ... and most folks should
have root logins via ssh turned off by default, just to make this all
the more interesting... ;-)
You might want to take a look at something such as cfengine as one means
of distributing configs like this... there are a bunch of other
alternatives, as well.
Hope that helps...
Russell
--
Russell M. Van Tassell
russell at loosenut.com
I'd give my right arm to be ambidextrous.
More information about the sudo-users
mailing list