HPE Community
Operating System - HP-UX
1827280 Members
2864 Online
109717 Solutions
New Discussion

Centralizing SUDO

 
SOLVED
Go to solution
kumar.s
Advisor

‎12-04-2007 06:19 AM

‎12-04-2007 06:19 AM

Centralizing SUDO

Admins.

Please bear with a fnky question .

I have a requirement to centralize sudo permissions and the logs similar to power broker .

All the User permissions needs to be there on a HPUX single server ( which must act like sudo server ). all the other servers ( HPUX Servers ) needs to refer the master server to check whether the user has required access for any commands .
and all the logs needs to be logged to centralized location.

Kindly let me know whether the solution with sudo is possible , If possible let me know how it is being configured .

thanks in advance
0 Kudos
Reply
10 REPLIES 10
F Verschuren
Esteemed Contributor

‎12-04-2007 06:24 AM

‎12-04-2007 06:24 AM

Re: Centralizing SUDO

the easy way:
please the sudoers file on a nfs share.
ore ssp the sudoers file to a lokal please.
The last is relayebler because if you centralizing a single network porblem can cause problems on all you systems:
so if you scp the sudoers file to all servers every ? ours... you have the less impackt if the netwerk ore sentral server failes...
0 Kudos
Reply
kumar.s
Advisor

‎12-04-2007 06:29 AM

‎12-04-2007 06:29 AM

Re: Centralizing SUDO

Currently I have sudoers file in each Server .

I would like to place the sudoers file in one single servers where i can make changes / invoke , revoke access to users from one singe server and the permission should get reflected on the client machines accordingly .

And also is there any way of having centralized location of sudo logs on perserver basis .
0 Kudos
Reply
Ivan Krastev
Honored Contributor

‎12-04-2007 06:30 AM

‎12-04-2007 06:30 AM

Re: Centralizing SUDO

You can use rsync to distribute sudoers file. This will skip problems, related to NFS.

regards,
ivan
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎12-04-2007 06:38 AM

‎12-04-2007 06:38 AM

Re: Centralizing SUDO

And if you have money - have a look at ServerControl from Foxt - it centrally manages your entire Unix access - including sudo like functions - except theirs is called suexec.

http://www.foxt.com/new-itc/products_server.htm

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Ivan Krastev
Honored Contributor

‎12-04-2007 06:39 AM

‎12-04-2007 06:39 AM

Re: Centralizing SUDO

For remote logging chage syslog configuration on each server to send sudo entries to central syslog server.

regards,
ivan
0 Kudos
Reply
F Verschuren
Esteemed Contributor

‎12-04-2007 06:47 AM

‎12-04-2007 06:47 AM

Re: Centralizing SUDO

remote logging can be done "easaly" by adding a @hostsname to the syslog.conf,
be aware that the hp syslog will not encript over the network if you want this syslog ng must be installed...
0 Kudos
Reply
blah2blah
Frequent Advisor

‎12-04-2007 06:55 AM

‎12-04-2007 06:55 AM

Solution

Re: Centralizing SUDO

you can use sudo's ldap features to centralize user permissions:
http://www.gratisoft.us/sudo/readme_ldap.html
Reply
kumar.s
Advisor

‎12-04-2007 07:01 AM

‎12-04-2007 07:01 AM

Re: Centralizing SUDO

Hi All .

Thanks for the responses.

The question here is on all the hosts it has different usernames groups and UIDS .

so how do i configure on on master server and permissions based on per server/user basis .

if you have any docs online configuring it to be centralized will be use full
0 Kudos
Reply
blah2blah
Frequent Advisor

‎12-04-2007 09:15 AM

‎12-04-2007 09:15 AM

Re: Centralizing SUDO

http://fci.wikia.com/wiki/Setting_Up_A_Centralised_Authentication_Server_With_Sudo_Access_Using_LDAP
0 Kudos
Reply
Kevin Wright
Honored Contributor

‎12-04-2007 11:11 AM

‎12-04-2007 11:11 AM

Re: Centralizing SUDO

use Host aliases in the sudoers file
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.