Ticket #604 (closed enhancement: wontfix)
Extend the functionality of the Account Plugin
| Reported by: | [email protected]… | Owned by: | desai |
|---|---|---|---|
| Priority: | major | Milestone: | Bcfg2 1.3.0 Release |
| Component: | bcfg2-server | Version: | 1.0 |
| Keywords: | Cc: | [email protected]… |
Description
The Account Plugin is a great theory but currently only supports a very specific setup. I believe if it can be extended in the following ways it could become a powerful tool for most environments
I will leave the specific files alone here and just outline what I think should be available to the end user as configurable options.
1) Most environments can not allowed direct ssh as root for security compliance reasons
- A "superuser" should useradd to all boxes if not there
- should have ssh key installed in /home/user/.ssh/authorized keys if a key for that user exists
- should be added to the wheel group
2) normal user should
- be useradd'ed to a list of defined boxes
- have ssh key installed in /home/user/.ssh/authorized_keys
3) Sudo
- Some shops don't like su'ing to root thus they don't need to be in the wheel group They might implement root level acess via sudo.
- some users (dev guys for example) may need sudo access to start/stop apache for example it would be nice if you could config the sudoers file on a per user, per hosts basis to give access to limited sets of defined commands to users on the boxes they need that access on.
Pipe Dream (not sure how to do this but it would be cool)
Many shops use SSH's AllowUser? config directive in the /etc/ssh/sshd_config to limit who can even auth from an SSH level. Depending on how many different systems different groups of people might need access to you may have to maintain many files in our Cfg/ dir. Not sure if this plugin could add to that config on box based on what boxes users have access to and then be tied into a ssh service reload to make the changes take effect.
Attachments
Change History
comment:2 Changed 14 years ago by solj
- Milestone changed from Bcfg2 1.0 Release to Bcfg2 1.0.1 Release
comment:3 Changed 13 years ago by solj
- Milestone changed from Bcfg2 1.0.1 Release to Bcfg2 1.1.0 Release
comment:4 Changed 13 years ago by solj
- Milestone changed from Bcfg2 1.1.0 Release to Bcfg2 1.2.0 Release
comment:5 Changed 12 years ago by https://www.google.com/accounts/o8/id?id=AItOawnARWkgfcLN0_65FMSodEEaebtElcsVCH8
- Cc [email protected]… added
+1 Would be a great way to manage accounts across a set of hosts where NIS/LDAP is not available.
comment:6 Changed 12 years ago by solj
- Milestone changed from Bcfg2 1.2.0 Release to Bcfg2 1.3.0 Release
I think most of this is addressed by the bcfg2-accounts tool written by Holger (https://github.com/weiss/bcfg2-accounts). Moving to 1.3.0 for now, but I think all of this functionality (and possibly more) could be added there. The Account plugin was mostly written for a specific internal use at ANL.
