sudo upgrade and PAM

Showing results for 
Search instead for 
Do you mean 
Reply
Advisor I
Posts: 54
Registered: ‎09-16-2014
#1 of 7 10,333

sudo upgrade and PAM

This is mainly an FYI-type note; I wasn't sure if it best belonged here or in the DC forum.

In our AIX environment, we discovered that our (old) version of sudo was not compiled with the --with-authenticate option, which meant that it only looked to local files for authentication. Once we converted users to Centrify, it was confusing when they would log in with their AD password but would have to enter their old AIX password at the sudo prompt. We upgraded sudo to a newer version but were caught by surprise when it would print and immediately fail the password prompts, without the user entering any password at all. Turns out that the newer sudo version was fully PAM-enabled, and so it was looking for /etc/pam.conf service entries named "sudo", which we didn't have, so it was falling through to the "OTHER" service and being failed via that route.

Long story short: AIX sudo upgrade became PAM-enabled and so required specific "sudo" service entries in /etc/pam.conf. Hat tip to KB-1784 that led me to the solution.

-jeff

Centrify Guru I
Posts: 2,432
Registered: ‎07-26-2012
#2 of 7 10,330

Re: sudo upgrade and PAM

[ Edited ]

Hello Jeff,

Welcome to Centrify.
Thanks for bringing this to the attention of the rest of the community.

If you're using Centrify Standard Edition, remember that you have the capabilities with Privilege User Management capabilities (RBAC) implemented with AD and Centrify-enhanced sudo (dzdo).  This allows you to eliminate the use of shared accounts (root, oracle, etc) and to provide users with just the privileges they need while gaining the ability to limit access, provide just the proper privileges and you can generate quick reports of who has access to what and what they can do with privileges.  WebAdmin - Role.jpg

report sample.jpg

We appreciate your feedback.

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Advisor I
Posts: 54
Registered: ‎09-16-2014
#3 of 7 10,322

Re: sudo upgrade and PAM

Hi Robertson; thanks! I'm curious to see how this Community forum turns out. I think there's lots of good knowledge out there, between users, support, and Professional Services. Anything we can do to help spread information is good!

We were shown dzdo during the PS engagement, and stepped through a sudoers file import, so I've seen the basics. We're moving kinda slowly here with our implementation, and sudo is one of those tools that works really well at what it does -- which is part of the reason it was twelve (!) years old :)
Centrify Guru I
Posts: 2,432
Registered: ‎07-26-2012
#4 of 7 10,317

Re: sudo upgrade and PAM

Jeff,

We are excited as well, the idea is to promote a community that shares ideas, best practices and provides us with feedback.
We'll have people from Engineering, Sales, Product Management and PS write articles.

R.P
http://centrifying.blogspot.com

 

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Centrify Contributor II
Posts: 17
Registered: ‎02-13-2014
#5 of 7 10,131

Re: sudo upgrade and PAM

Hey Jeff, sudo is great but many customers struggle to maintain /etc/sudoers files on hundreds (thousands?) of Unix boxes.

IMHO one of the best features of Centrify-enhanced sudo (dzdo), as Robertson alluded to, is the simplicity of centralized management.  Once you define roles (in AD) you can assign them to users or computers, and apply them to say, 100's of computers at a time.  All of a sudden your local sudo management woes start to disappear.  

As you saw in your demo, the sudo import wizard can quickly help you define those roles and get you heading in this direction quickly.  I'm sure Robertson already has a blog post on how to set it up in more detail :)

Advisor I
Posts: 54
Registered: ‎09-16-2014
#6 of 7 9,944

Re: sudo upgrade and PAM

Hi horto! I understand how people can let sudoers get out of control; thankfully, that wasn't one of our problems :) Early on, we used a file distribution tool to keep sudoers in sync. On my "todo" list is to investigate tools like cfengine and puppet to see what their strengths are. Good to know that dzdo keeps it simple as well!
Highlighted
Centrify Guru I
Posts: 2,432
Registered: ‎07-26-2012
#7 of 7 9,940

Re: sudo upgrade and PAM

[ Edited ]

Jeff,

Thanks for keeping the dialog going.  If and when you're ready to experiment with converting your "up-to-date" (Kudos on that) sudoers file, remember that you can preview the resulting roles by using the "Import sudoers feature"

Sudo Import - Option.jpg

This feature has been around for over two years and produces the Roles based on the sudoers file.  All you need to keep in mind is that each role can be reused and roles are typically assigned to AD principals (ideally groups) and these assignments can be done perpetually  or in a temporary basis (this is great for change control).  Also, roles can be restricted day/time of effectiveness.

Role Assignment - Time bounding.jpgrole - available times.jpg

What this means to you is:

  • You have less people with permanent roles and have the flexibility to assign them
  • You have a very common process - AD group add/moves/changes to grant/revoke rights
  • This can be tied to any workflow or delegated to a first line group like the HelpDesk.

Also, keep in mind that our roles not only control what people can do with privilege, but how people log into systems.  E.g.

Role - DBA detail.jpg

The definition above is of a DBA role.  Note that we have limited the ability to log in only via SSH (on Solaris, Linux and Debian) + the ability to elevate to Oracle (without knowing the creds) and to run sqlplus as oracle.

That same model works for Windows as well.   So think about this, how about a Mixed (Windows/Linux role)?:

Role - Mixed UNIX-Win detail.jpg

So the name of the game is cross-platform flexibility with very little infrastructure required:  Just AD and our agent.  Just a "tiny-bit" more powerful than sudo.

:-)

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: