Modify

Ticket #604 (closed enhancement: wontfix)

Opened 13 years ago

Last modified 9 years ago

Extend the functionality of the Account Plugin

Reported by: cstankaitis@… Owned by: desai
Priority: major Milestone: Bcfg2 1.3.0 Release
Component: bcfg2-server Version: 1.0
Keywords: Cc: eclipseguru@…

Description

The Account Plugin is a great theory but currently only supports a very specific setup. I believe if it can be extended in the following ways it could become a powerful tool for most environments

I will leave the specific files alone here and just outline what I think should be available to the end user as configurable options.

1) Most environments can not allowed direct ssh as root for security compliance reasons

  • A "superuser" should useradd to all boxes if not there
  • should have ssh key installed in /home/user/.ssh/authorized keys if a key for that user exists
  • should be added to the wheel group

2) normal user should

  • be useradd'ed to a list of defined boxes
  • have ssh key installed in /home/user/.ssh/authorized_keys

3) Sudo

  • Some shops don't like su'ing to root thus they don't need to be in the wheel group They might implement root level acess via sudo.
  • some users (dev guys for example) may need sudo access to start/stop apache for example it would be nice if you could config the sudoers file on a per user, per hosts basis to give access to limited sets of defined commands to users on the boxes they need that access on.

Pipe Dream (not sure how to do this but it would be cool)

Many shops use SSH's AllowUser? config directive in the /etc/ssh/sshd_config to limit who can even auth from an SSH level. Depending on how many different systems different groups of people might need access to you may have to maintain many files in our Cfg/ dir. Not sure if this plugin could add to that config on box based on what boxes users have access to and then be tied into a ssh service reload to make the changes take effect.

Attachments

Change History

comment:1 Changed 13 years ago by solj

  • Version set to 1.0
  • Milestone set to Bcfg2 1.0 Release

comment:2 Changed 12 years ago by solj

  • Milestone changed from Bcfg2 1.0 Release to Bcfg2 1.0.1 Release

comment:3 Changed 12 years ago by solj

  • Milestone changed from Bcfg2 1.0.1 Release to Bcfg2 1.1.0 Release

comment:4 Changed 12 years ago by solj

  • Milestone changed from Bcfg2 1.1.0 Release to Bcfg2 1.2.0 Release

comment:5 Changed 11 years ago by https://www.google.com/accounts/o8/id?id=AItOawnARWkgfcLN0_65FMSodEEaebtElcsVCH8

  • Cc eclipseguru@… added

+1 Would be a great way to manage accounts across a set of hosts where NIS/LDAP is not available.

comment:6 Changed 10 years ago by solj

  • Milestone changed from Bcfg2 1.2.0 Release to Bcfg2 1.3.0 Release

I think most of this is addressed by the bcfg2-accounts tool written by Holger (https://github.com/weiss/bcfg2-accounts). Moving to 1.3.0 for now, but I think all of this functionality (and possibly more) could be added there. The Account plugin was mostly written for a specific internal use at ANL.

comment:7 Changed 9 years ago by https://www.google.com/accounts/o8/id?id=AItOawnSjgovXZr-_V3vGkvMSR0pc5LDykRc1Nc

  • Status changed from new to closed
  • Resolution set to wontfix

The Account plugin is being deprecated in 1.3. Check out the tool solj mentioned in his last post.

WARNING! You need to establish a session before you can create or edit tickets. Otherwise the ticket will get treated as spam.

View

Add a comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
The resolution will be deleted. Next status will be 'reopened'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.