This is perhaps a more general security question. For those of you with a directory services installation, do you install a generic local user with sudo access in case directory services is not available? Or do you just beef up your directory services to the point that you are confident it will almost always be up? I usually disable root login via ssh, but allow it from the physical console, and make an emergency generic account with sudo privs in case DS breaks down. What I've noticed, however, is if I simulate a directory services failure, ssh logins with this generic local account take an eternity as the server still tries to auth that user against ldap/kerberos first. I'm sure this could be adjusted in pam in some way. I was just curious how other admins approach this, and what level of trust they place in directory services being available. -- -- - Iain Morris iain.t.morris at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20101129/44003f46/attachment-0001.html>
Adam Tauno Williams
2010-Nov-29 17:51 UTC
[CentOS] directory services and root/sudo access
On Mon, 2010-11-29 at 08:13 -0800, Iain Morris wrote:> This is perhaps a more general security question. For those of you > with a directory services installation, do you install a generic local > user with sudo access in case directory services is not available?Yes, always.> Or do you just beef up your directory services to the point that you > are confident it will almost always be up?Yes, always. And nss-pam-ldapd instead of *crap* PAM / NSS LDAP modules that ship with most distros. <http://arthurdejong.org/nss-pam-ldapd/>> I usually disable root login via ssh, but allow it from the physical > console, and make an emergency generic account with sudo privs in case > DS breaks down. What I've noticed, however, is if I simulate a > directory services failure, ssh logins with this generic local account > take an eternity as the server still tries to auth that user against > ldap/kerberos first. I'm sure this could be adjusted in pam in some > way.Yes, by replacing the worthless module.> I was just curious how other admins approach this, and what level of > trust they place in directory services being available.I trust it a great deal; but anticipate there will be situations where it will not be available [for whatever reason - simple NIC failure can cut a host off from the DSA]. Running an OpenLDAP instance as a caching proxy is also sometimes a good idea; it depends on the application.