www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mads Toftum <m...@toftum.dk>
Subject Re: RFC: Requiring OPIE
Date Sun, 06 Sep 2009 11:35:22 GMT
On Sun, Sep 06, 2009 at 03:13:09AM -0700, Paul Querna wrote:
> As mentioned in the incident report, I'd like to make several machines
> _require_ the use of privileges for all users with extra privileges.
> 
> I would like to require using OPIE on minotaur first -- it is the most
> obvious host, and everything is already setup.

I thought we already did require opie for roots here - so definete +1.
> 
> I would to also like to require using OPIE on brutus -- it is running
> several out of the box web applications, and has lots of people will
> root sudo.
> 
Makes sense. One could argue that hudson is a bit of the same (and yeah,
I know there's no solaris support yet).

> The Plan: I'll draft an email to each person with root on these
> machines, telling them how to setup OPIE.
> (short: install an opie-client on your machine, run 'opiepasswd' on the server).
> 
> If their account hasn't setup opie within 2 weeks, I will remove them
> from the sudoers file for now. (restoring of access shouldn't be a
> problem....)

Seems reasonable - we should be out of the worst of the vacation period.
> 
> Technical Issues: OPIE works out of the box on FreeBSD and Ubuntu.
> For Solaris, I need to find time to finish coding the PAM module for
> Orthrtus.  ENOTIME.
> 
> Thoughts?
> 
No big rush on the solaris port - apart from hudson, those boxes are
already pretty limited in who gets to log in.

vh

Mads Toftum
-- 
http://soulfood.dk

Mime
View raw message