[nycbug-talk] Public-key sudo?
Bob Ippolito
bob at redivi.com
Mon Jan 9 16:56:33 EST 2012
On Sun, Jan 8, 2012 at 9:09 AM, Isaac Levy <ike at blackskyresearch.net> wrote:
> On Jan 7, 2012, at 2:31 PM, Bob Ippolito wrote:
> > happening with ops (ec2, puppet, chef, etc.)
>
> I believe it's well-worth bringing up cdist while you're up there:
> http://www.nico.schottelius.org/blog/migrating-away-from-puppet-to-cdist/
>
> I've not used this tool, but at the very least, their list of items
> addressing fundamental design problems with puppet/chef is spot-on, IMHO.
>
It does sound like cdist solves some of the fundamental issues with
puppet/chef, but of course it creates different ones. The major reason I
won't give cdist the time of day is that I really don't think that push
from a laptop is the right model for configuration management. Having SSH
be the only way to do something is also a bit of a liability, I've seen a
few problems with our sshd recently (something to do with PAM, LDAP and
some kind of resource leak). Fortunately those machines have IPMI, but for
this new project I'll have a bunch of Mac Minis in production so no
hardware LOM/IPMI will be available to help us.
I do want to try and get security as right as is reasonable by default,
which is why I was wondering about the sudo thing. I'm personally leaning
towards having a non-password (and rarely used) root SSH login for
administration rather than using sudo at all. In my experience the past few
years, things that need root get done (or should've been done) from Puppet
anyway.
-bob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20120109/07be4bfe/attachment.htm>
More information about the talk
mailing list