[GTALUG] Scripting with Interactive Utilities
William Muriithi
william.muriithi at gmail.com
Sat Mar 28 01:23:39 UTC 2015
>> or if you don't want to keep passwords in shell history, put commands to
>> the file and then
> It also has the problem that it is in the command line arguments and
> hence visible in the process table to any user on the system.
Exactly because of that I suggested variant below
>> cat command_file | ktutil
>>
>> where command file is
>> ---
>> add_entry -password -p alice at BLEEP.COM -k 1 -e aes128-cts-hmac-sha1-96
>> test
>> wkt test_srv
>> ---
> Of course that means it is written to disk, unless you use a file on a
> ramdisk, which is also considered bad by sufficiently paranoid people.
>
> A file on a ramdisk is an improvement at least.
>
As we all seem to agree, this is petty insecure. It was acceptable when there was no alternative but currently, one shouldn't go this route.
Take a look at FreeIPA. Seriously, it does this petty securely. Better too, it's petty easily to manage which mean it wouldn't be pulled out when you move on.
Another thing, every host you enroll into AD count against your licensed cals. If you set up a trust relationship between FreeIPA and AD, you can join hundreds of Linux host without any licensing implications.
Lastly, FreeIPA will manage your sudo rules by default, offer host based access control, like which user can ssh in, selinux, ,easy management through puppet just to name a few.
Seriously, give FreeIPA a chance and you will realize AD of Linux is here finally.
Regards,
William
More information about the talk
mailing list