I'm busy looking at how we allow users to log into our systems and improving it. This post will explain how it's done currently.
Well first of all, there are two ways we let users access our Solaris machines, SSH and Samba. So running "netservices limited" pretty much closes down all the unnecessary stuff like ftp and rlogin.
Secondly, we want users to enter using their AD accounts. LDAP methinks is the most popular way to do this but here we have a Samba/Winbind implementation - where our UNIX server is added into the AD domain. It's pretty simple - when it works. When it doesn't it can be frustrating. I'll do a separate post on the setting up the Samba Winbind AD integration.
Lastly, when any user logs in (except root), a menu comes up. The user has to choose the relevant application user (e.g. oracle, ctma, uptime) and is changed to it. When a user logs out of the application user it's back to the menu. Exit the menu and the user is logged out.
The menu logs the user into the application user using ssh and key authentication so the only the password the user has to know is the AD password. Effectively the only thing a user can do as them self on the machine is choose which application user to change to.
Notes:
Well first of all, there are two ways we let users access our Solaris machines, SSH and Samba. So running "netservices limited" pretty much closes down all the unnecessary stuff like ftp and rlogin.
Secondly, we want users to enter using their AD accounts. LDAP methinks is the most popular way to do this but here we have a Samba/Winbind implementation - where our UNIX server is added into the AD domain. It's pretty simple - when it works. When it doesn't it can be frustrating. I'll do a separate post on the setting up the Samba Winbind AD integration.
Lastly, when any user logs in (except root), a menu comes up. The user has to choose the relevant application user (e.g. oracle, ctma, uptime) and is changed to it. When a user logs out of the application user it's back to the menu. Exit the menu and the user is logged out.
The menu logs the user into the application user using ssh and key authentication so the only the password the user has to know is the AD password. Effectively the only thing a user can do as them self on the machine is choose which application user to change to.
Notes:
- Access to Samba shares is controlled using /etc/samba/smb.conf
- Access to ssh login is using the AllowUsers option in /etc/ssh/sshd_config and setting up key authentication for user
- Because the change from user to application user is done using ssh - this screws with auditing.
*Most of this setup was in place when I got here, so I can't really take any credit for it
No comments:
Post a Comment
Note: only a member of this blog may post a comment.