1 / 11

Sudo Access with Beowulf Clusters

Sudo Access with Beowulf Clusters. Chris Feehan CS Senior Capstone 12/18/06. Outline. *Intro to Sudo Command *Configuring Sudo *Sudo w/ Clusters *Ethics & Security *Recommendations. What Exactly is Sudo?. Access Configuration Tool Non-root as root w/out passwd *root=superuser

Download Presentation

Sudo Access with Beowulf Clusters

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Sudo Access with Beowulf Clusters Chris Feehan CS Senior Capstone 12/18/06

  2. Outline *Intro to Sudo Command *Configuring Sudo *Sudo w/ Clusters *Ethics & Security *Recommendations

  3. What Exactly is Sudo? • Access Configuration Tool • Non-root as root w/out passwd *root=superuser • By default, installed on most Unix-based OS’s • Widely used at academic institutions and small, low-budget businesses • Its FREE!

  4. Sudo Configuration • Prefix command with “sudo”, prompts for password, accepts or denies (example) “% sudo chmod u+rw file.txt” “% Password: _______” • /etc/sudoers, /usr/sbin/visudo • 2 Main Components: Aliases & User Specification

  5. /etc/sudoers Example • *ALIAS ALIASNAME = item1, item2,… //User_Alias SYSADMINS = Jensen, Feehan, //Host_Alias CLUSTERHEADS = castaway Cmnd_Alias DELEGATE = /bin/chgrp, /bin/chown Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /bin/tcsh • User Specification root (superuser) ALL = (ALL) ALL SYSADMINS CLUSTERHEADS = DELEGATE, !SHELLS

  6. Why is sudo right for St. Olaf Beowulf Cluster? • Free • Expensive solutions= sysmark powerpassword • Highly Configurable • Users perform specific tasks • Secure edit via VISUDO • Locks sudoers file against multiple simultaneous edits • Provides basic sanity checks, checks for parse errors • Powerful Logging facilities • /var/log/sudo.log • .bash_history • Allows for Least Privilege methodology • Least access they need…minimizes any damage a user or attacker can make

  7. Sudo Risks • Sudo passwords • Every account w/ full sudo access= < attacker likelihood for success • How can they get access to passwords? • /etc/shadow via sudo • Sudo hijacking • By default, Sudo uses tickets--password caching • Multiple sessions per user with same ticket! • Attacker can piggyback on sudo privileges w/out his/her password • Prevent tip: disable password caching

  8. Piggyback Attack

  9. Sudo Risks (cont) • Sudo Escalation • Exclusion vs. Inclusion • if improperly configured, Limited Sudo Full Sudo

  10. Recommendations • How to delegate privileges w/ Beowulf cluster? • Currently, only active configuration of sudo is root =ALL, admin=ALL • StudentAdmin/Project Leader--learn sudo inside and out • Don’t make the mistake of using exclusion. Start Basic—increase privileges as necessary • If configuring sudo, also should configure ssh Don’t want anyone logging into childnodes as root • PDF Report on Secure Automation with Sudo & SSH Robert Napier—Cisco Systems http://www.usenix.org/events/lisa04/tech/full_papers/napier/napier.pdf

  11. Questions?

More Related