On 07/17/2012 06:04 PM, Steven Jones wrote: > but presumably I can control sudo with IPA?
Yes you do. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: [email protected] [[email protected]] on > behalf of Dmitri Pal [[email protected]] > Sent: Tuesday, 17 July 2012 11:07 p.m. > To: [email protected] > Subject: Re: [Freeipa-users] stopping su - > > On 07/17/2012 12:40 AM, Steven Jones wrote: >> Hi, >> >> I could do, >> >> auth required pam_wheel.so root_only use_uid >> >> But I really want to do this with IPA or I have to get on each server and >> add and remove admins by hand (hint 300 servers)...that is the idea of >> something like IPA for me....do it once centrally. >> >> I assume simo's hint is, >> >> sudo -i su - oracle > AFAIU if you are looking for centrally manged setting you need to use sudo. > With su and HBAC IPA can just control which user can authenticate using > "su" but not for local users like root. > > I think that if the oracle user is centrally managed you would be able > to define an HBAC rule that would prevent oracle user from doing su on a > group of hosts, but I doubt that this is what you want. > Seems like sudo will give you much more flexibility. > >> I will have to experiment. >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: [email protected] [[email protected]] on >> behalf of Erinn Looney-Triggs [[email protected]] >> Sent: Tuesday, 17 July 2012 4:31 p.m. >> To: [email protected] >> Subject: Re: [Freeipa-users] stopping su - >> >> On 07/16/2012 01:47 PM, Steven Jones wrote: >>> Hi, >>> >>> OK, so to confirm this cant be done in a centralised way via IPA? >>> >>> In which case when setting a HBAC with sshd only why cant i su - oracle but >>> I can su - root? >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ________________________________________ >>> From: [email protected] [[email protected]] >>> on behalf of Erinn Looney-Triggs [[email protected]] >>> Sent: Tuesday, 17 July 2012 9:38 a.m. >>> To: [email protected] >>> Subject: Re: [Freeipa-users] stopping su - >>> >>> On 07/16/2012 01:32 PM, Steven Jones wrote: >>>> I have craeted a sshd rule only for the HBAC, but I find a std user can >>>> su - to root, is this correect behavior? >>>> >>>> How do I? or can I? stop this unless explicitly allowed? >>>> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> [email protected] >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> You need to control this via PAM. So for me I restrict su to only be >>> allowed for members of the wheel group, from /etc/pam.d/su: >>> >>> auth required pam_wheel.so use_uid >>> >>> There are comments in the file that will get you where you want to go. >>> >>> -Erinn >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> [email protected] >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> I can't speak to whether it can or cannot be done centrally in any sort >> of authoritative way, might be possible there are hbac setting for su >> and I can't really answer your question about suing to oracle. >> >> -Erinn >> >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
