RE: Multiple authorized_keys2 files or how to achieve same effect.

• Previous message: Derek Martin: "Re: Multiple authorized_keys2 files or how to achieve same effect."
• Maybe in reply to: Jeremy Eder: "Multiple authorized_keys2 files or how to achieve same effect."
• Next in thread: Jayson Anderson: "Re: Multiple authorized_keys2 files or how to achieve same effect."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 1 Sep 2005 10:03:08 -0600
To: "Jeremy Eder" <jeder@invision.net>

I don't know how feasible it might be to use sudo instead of logging
straight in as root, but that would give you effectively the same
benefits.

You can specify in /etc/sudoers exactly who (user IDs or whole groups)
can do what (specific commands, or anything) as whom (effective user
IDs) where (specific hostname where the permission has effect).

This way, you can maintain a single /etc/sudoers file across all
machines, but certain lines only take effect on certain machines. You
can even specify that some users can do some actions without re-entering
their password if you want.

Some people prefer sudo for accountability - users always sign on as
themselve, so the logs identify real users rather than root.

Regards
Mark

> -----Original Message-----
> From: Jeremy Eder [mailto:jeder@invision.net]
> Sent: September 1, 2005 08:49
> To: secureshell@securityfocus.com
> Subject: Multiple authorized_keys2 files or how to achieve
> same effect.
>
> My situation: multiple admins needing root on hundreds of boxes.
>
> Currently: using pubkeyauth on openssh (mostly bsd but linux
> and solaris too)
>
> Goal: ease add/remove of credentials from machines (one-off
> or globally in our network)
>
> Each server may have a completely different (and still valid)
> list of users in the authkeys2 file.
>
> Instead of getting messy with sed/cat/grep...I began to
> research if it was possible to have multiple authorized_keys2
> files, or at least be able to put directives to separate
> public key files in the global authorized_keys2. This would
> make the management of my setup much easier...
>
> Something like...
>
> AuthorizedKeysFile .ssh/authorized_keys2 AuthorizedKeysFile
> .ssh/user1 AuthorizedKeysFile /ssh/user2
>
> Etc etc...
>
> Then I can control access to the box simply by creating or
> deleting that file and one line in the conf.
>
> Am I looking in the right direction ? I haven't yet
> discovered a way to do this under openssh; however
> .ssh/authorization under ssh2 seems to provide the exact
> feature I am thinking of. Not an option...
>
> Is this possible ? Is there some other practice that is more
> accepted that I'm not aware of ?
>
> Thanks for your help.
>

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.

• Previous message: Derek Martin: "Re: Multiple authorized_keys2 files or how to achieve same effect."
• Maybe in reply to: Jeremy Eder: "Multiple authorized_keys2 files or how to achieve same effect."
• Next in thread: Jayson Anderson: "Re: Multiple authorized_keys2 files or how to achieve same effect."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]