private servers sharing common root

Christopher Browne cbbrowne-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Fri Jun 25 00:37:19 UTC 2010


On Thu, Jun 24, 2010 at 5:00 PM, Fabio FZero <fabio.fzero-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> Yes, but you don't have to abide to it. You can turn off password
> logins and enable root logins with keys, which is really not that bad
> security-wise.

I could easily go either way on that...

Yes, keys provide *some* security, however, if you log in directly as
root, there's no identification of who was doing that.

Forbidding root login and requiring that people login as themselves,
then authenticate to root, is a common security doctrine.

It does prevent automating root login, but it's not obvious that it's
good to make that an easy thing to do.

> Anyway, depending on what you want to do, putting your config files
> and scripts under version control could be a good solution. When
> anything needs to be changed, just alter the files, push them to the
> repo and pull everything back on all servers (I don't know if this is
> what Chris was talking about -- I didn't have time to look at the
> articles).

What you're pulling from is less important than that you're pulling.

Code folk have a liking for using SCMs as the thing to pull from.

The infrastructure.org folk recommend stuff like sup.  When I've
encouraged this in production environments, I used the "copy protocol"
used in cfengine.  Neither of those directly support versioning; they
instead commend having the version management take place in another
layer.

But again, the point is that how you pull, or where you pull from, is
much less important than that  the servers pull from places they
intentionally trust as sources.  That makes a lot of challenges (e.g.
- in negotiating incoming connections securely) go away, and when the
servers serve themselves, you run rather less risk of forgetting to
fix one of them.


-- 
http://linuxfinances.info/info/linuxdistributions.html
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list