Opened 7 years ago

Last modified 2 months ago

#6367 assigned defect

make dedicated sudo passwords

Reported by: weasel Owned by: weasel
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description


Child Tickets

Change History (9)

comment:1 Changed 4 years ago by nickm

+1 on this. If we aim to get this transition done some time after 1 May, what do you need from sudoers first?

comment:2 Changed 4 years ago by weasel

Primarily we need to let them know to set sudo passwords via the web interface on db.tpo and then hold their hands them during the inevitable mail issues

comment:3 Changed 3 years ago by weasel

Severity: Normal

sudo passwords enabled. for now, the unix password still works.

comment:4 Changed 3 years ago by weasel

Announcement mail: https://lists.torproject.org/pipermail/tor-project/2016-March/000199.html

Plan to disable pam_unix for sudo 2nd week of April.

comment:5 Changed 2 years ago by weasel

Owner: set to tpa
Status: newassigned

comment:6 Changed 2 years ago by weasel

Status: assignednew

comment:7 Changed 6 months ago by ln5

The syadmin team meeting in Brussels ([hhttps://trac.torproject.org/projects/tor/wiki/org/meetings/2019BrusselsAdminTeamMinutes#Dedicatedsudopasswords notes]) decided that we stop accepting LDAP passwords for sudo.

Two action items came out:

  • Configure pam on all but the CRM hosts to only accept the sudo passwords
  • Send email to tor-project@ informing about that change.
Last edited 6 months ago by ln5 (previous) (diff)

comment:8 Changed 6 months ago by ln5

Owner: changed from tpa to weasel
Status: newassigned

comment:9 Changed 2 months ago by anarcat

what does this actually involve, at the technical level? it looks like it's simply a matter of removing this line in /etc/pam.d/sudo:

auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass

... on all servers but the crm* servers? seems like we could just call a flag day and do it alraedy. i'd be happy to do that if you have your hands full...

Note: See TracTickets for help on using tickets.