There are a number of commercial applications out there based on
https://www.cosic.esat.kuleuven.ac.be/sesame/ which is free for non
commercial use, and supports distributed access control. Would be a good
starting point for the security requirements, but requires A LOT of further
development to implement it into a system that even comes near what you are
looking for. Most commercial applications that I have seen tend to use this
type of access control for protecting web resources.
Wouldn't a simpler approach be to only allow SSH access with authentication
taking place by public key instead of password. Then your approach would be
to create your role accounts on the server, create a keypair for the
account, and distribute the keypair to the authorised users. Addition of
infrastructure would require the migration of password and keyfile store to
the new machine. Get into a policy of creating a new key for the role
accounts on a monthly basis, then you are forced to review your distribution
list on a monthly basis, and keep things under control. Distribute the keys
by credit card sized CD's, and you can take the key with you while on the
move and not worry about where the key is stored.
Only drawback to this is that you never know anything more than the role of
the person who made a change, i.e. when things get messed up, you wont know
who logged in. You could implement somthing around this that would prompt
and dump a name to a file and rely on the honour system, but chances are
when you'd log in once a week you'd see that it was yourself that logged in
on every occasion during the week.
----- Original Message -----
From: "Niall O Broin" <niall at linux.ie>
To: <ilug at linux.ie>
Sent: Tuesday, May 07, 2002 11:05 AM
Subject: [ILUG] Role based logins on servers
> Question for all you SA type people. These isn't sepcifically Linux
> except that all the servers I'm concerned about are Linux boxes, but it's
> more a policy issue.
>> We have a number of people who access servers from time to time to make
> changes. Let's call them joe, billy & mary, except that those are not
> names, and there are more than three.
>> Practice up to now has been that we've had accounts for joe, billy & mary
> the relevant servers and they've all got group memberships so they can
> modify files which server processes can also modify. However, it can be
> tedious when putting new servers online to ensure that all the right
> accounts are created, and we often have situations where files are not
> created with the right permissions so somebody subsequently has a problem.
>> I'm tending towards the view that we should have role based logins e.g. if
> the httpd processes run as e.g. apache and coder joe wants to modify
> something which the web server uses he should do
>> ssh apache at server>> with of course appropriately installed keys. This means that all files he
> creates or modifies are owned by apache so when graphic designer billy
> in later, he doesn't have a problem modifying files because again, he logs
> in as apache.
>>> Anybody see any major flaws with this approach ? Anybody already doing
> something like this with real-world systems ?
> Irish Linux Users' Group: ilug at linux.ie>http://www.linux.ie/mailman/listinfo/ilug for (un)subscription
> List maintainer: listmaster at linux.ie>
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!