[CentOS] directory services and root/sudo access
Adam Tauno Williams
awilliam at whitemice.org
Mon Nov 29 17:51:13 UTC 2010
On Mon, 2010-11-29 at 08:13 -0800, Iain Morris wrote:
> This is perhaps a more general security question. For those of you
> with a directory services installation, do you install a generic local
> user with sudo access in case directory services is not available?
Yes, always.
> Or do you just beef up your directory services to the point that you
> are confident it will almost always be up?
Yes, always.
And nss-pam-ldapd instead of *crap* PAM / NSS LDAP modules that ship
with most distros.
<http://arthurdejong.org/nss-pam-ldapd/>
> I usually disable root login via ssh, but allow it from the physical
> console, and make an emergency generic account with sudo privs in case
> DS breaks down. What I've noticed, however, is if I simulate a
> directory services failure, ssh logins with this generic local account
> take an eternity as the server still tries to auth that user against
> ldap/kerberos first. I'm sure this could be adjusted in pam in some
> way.
Yes, by replacing the worthless module.
> I was just curious how other admins approach this, and what level of
> trust they place in directory services being available.
I trust it a great deal; but anticipate there will be situations where
it will not be available [for whatever reason - simple NIC failure can
cut a host off from the DSA].
Running an OpenLDAP instance as a caching proxy is also sometimes a good
idea; it depends on the application.
More information about the CentOS
mailing list