sudo upgrade and PAM
09-16-2014 06:08 AM
This is mainly an FYI-type note; I wasn't sure if it best belonged here or in the DC forum.
In our AIX environment, we discovered that our (old) version of sudo was not compiled with the --with-authenticate option, which meant that it only looked to local files for authentication. Once we converted users to Centrify, it was confusing when they would log in with their AD password but would have to enter their old AIX password at the sudo prompt. We upgraded sudo to a newer version but were caught by surprise when it would print and immediately fail the password prompts, without the user entering any password at all. Turns out that the newer sudo version was fully PAM-enabled, and so it was looking for /etc/pam.conf service entries named "sudo", which we didn't have, so it was falling through to the "OTHER" service and being failed via that route.
Long story short: AIX sudo upgrade became PAM-enabled and so required specific "sudo" service entries in /etc/pam.conf. Hat tip to KB-1784 that led me to the solution.
09-16-2014 06:41 AM
Welcome to Centrify.
Thanks for bringing this to the attention of the rest of the community.
If you're using Centrify Standard Edition, remember that you have the capabilities with Privilege User Management capabilities (RBAC) implemented with AD and Centrify-enhanced sudo (dzdo). This allows you to eliminate the use of shared accounts (root, oracle, etc) and to provide users with just the privileges they need while gaining the ability to limit access, provide just the proper privileges and you can generate quick reports of who has access to what and what they can do with privileges.
We appreciate your feedback.
09-16-2014 07:09 AM
We were shown dzdo during the PS engagement, and stepped through a sudoers file import, so I've seen the basics. We're moving kinda slowly here with our implementation, and sudo is one of those tools that works really well at what it does -- which is part of the reason it was twelve (!) years old :)
09-16-2014 08:10 AM
We are excited as well, the idea is to promote a community that shares ideas, best practices and provides us with feedback.
We'll have people from Engineering, Sales, Product Management and PS write articles.
09-19-2014 06:55 AM
Hey Jeff, sudo is great but many customers struggle to maintain /etc/sudoers files on hundreds (thousands?) of Unix boxes.
IMHO one of the best features of Centrify-enhanced sudo (dzdo), as Robertson alluded to, is the simplicity of centralized management. Once you define roles (in AD) you can assign them to users or computers, and apply them to say, 100's of computers at a time. All of a sudden your local sudo management woes start to disappear.
As you saw in your demo, the sudo import wizard can quickly help you define those roles and get you heading in this direction quickly. I'm sure Robertson already has a blog post on how to set it up in more detail :)
09-24-2014 05:46 AM
09-24-2014 06:38 AM
Thanks for keeping the dialog going. If and when you're ready to experiment with converting your "up-to-date" (Kudos on that) sudoers file, remember that you can preview the resulting roles by using the "Import sudoers feature"
This feature has been around for over two years and produces the Roles based on the sudoers file. All you need to keep in mind is that each role can be reused and roles are typically assigned to AD principals (ideally groups) and these assignments can be done perpetually or in a temporary basis (this is great for change control). Also, roles can be restricted day/time of effectiveness.
What this means to you is:
- You have less people with permanent roles and have the flexibility to assign them
- You have a very common process - AD group add/moves/changes to grant/revoke rights
- This can be tied to any workflow or delegated to a first line group like the HelpDesk.
Also, keep in mind that our roles not only control what people can do with privilege, but how people log into systems. E.g.
The definition above is of a DBA role. Note that we have limited the ability to log in only via SSH (on Solaris, Linux and Debian) + the ability to elevate to Oracle (without knowing the creds) and to run sqlplus as oracle.
That same model works for Windows as well. So think about this, how about a Mixed (Windows/Linux role)?:
So the name of the game is cross-platform flexibility with very little infrastructure required: Just AD and our agent. Just a "tiny-bit" more powerful than sudo.