This is perhaps a more general security question. For those of you with a
directory services installation, do you install a generic local user with
sudo access in case directory services is not available? Or do you just
beef up your directory services to the point that you are confident it will
almost always be up?
I usually disable root login via ssh, but allow it from the physical
console, and make an emergency generic account with sudo privs in case DS
breaks down. What I've noticed, however, is if I simulate a directory
services failure, ssh logins with this generic local account take an
eternity as the server still tries to auth that user against ldap/kerberos
first. I'm sure this could be adjusted in pam in some way.
I was just curious how other admins approach this, and what level of trust
they place in directory services being available.
--
-- -
Iain Morris
iain.t.morris(a)gmail.com