[INSTRM-502] Settle on emergency and root access to pfs hosts Created: 02/Oct/18 Updated: 02/Oct/18 |
|
| Status: | Open |
| Project: | Instrument control development |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Task | Priority: | Normal |
| Reporter: | cloomis | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
|
As it stands, the pfs user at Subaru is not authenticated though LDAP, but though /etc/ {passwd,group}. The ids do match (2085:2085). The reasoning is that we need some "emergency" login which depends as little as possible on network infrastructure. From that account, one can sudo. I, personally, do not like this. I believe we should allow remote root ssh logins (key only), and have the pfs user be like all others. If there is a problem bad enough that LDAP is not available, you want to do any work as root in any case. Requiring sudo with a password decreases security. Discuss. Decide. |