fab-user
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fab-user] specifying login and password?


From: Christian Vest Hansen
Subject: Re: [Fab-user] specifying login and password?
Date: Wed, 18 Feb 2009 23:12:38 +0100

On Wed, Feb 18, 2009 at 9:54 PM, Timothee Besset <address@hidden> wrote:
> Jeff Forcier wrote:
>> Hi Timothee,
>>
>> Nicolas is largely correct, the "best" way to handle this is to use
>> SSH key-based authentication, which then means you won't need to be
>> prompted for any passwords during the connection phase.
>>
>> However, that's only a partial solution because you'll still need to
>> do each password in the event of a sudo() operation, assuming your
>> connection user doesn't have blanket passwordless sudo (not
>> recommended!).
>>
>> We don't really have good password management in Fabric right now, and
>> storing user passwords in general is always a tricky issue, so while
>> I'd like to put something in to make it more convenient in your case
>> (many different passwords across systems) it will take some
>> deliberation about how to best do it, or if it's something we should
>> *be* doing.
>>
>> Rest assured that the issue is on the table, however :)
>>
>> Best,
>> Jeff
>>
>>
>
> Good to hear.
>
> We are basically getting new systems, on which we start with a root +
> password ssh account (>20 of them per batch), and we are writing scripts
> to get them configured. Once configured, the machines mostly answer to a
> set of ssh keys, but considering the number of machines we are trying to
> automate the process starting from the initial root account info we get.
>
> Generating the fab files as I've shown works well enough for that.
>
> The sudo/priviledge escalation problem remains though. Our standard sshd
> lockdown requires that we turn off login as root, and expect users to
> login through their own account, then sudo .. easier to track and
> control that way.

We keep our users and credentials in Active Directory where I work.
Sudo privileges are different from server to server, but log-in is
always with the same username and password for all of our 100+ servers
- home directories etc. created upon first login.

>
> Best,
> TTimo
>
>> On Wed, Feb 18, 2009 at 2:55 PM, Nicolas Steinmetz <address@hidden> wrote:
>>
>>> 2009/2/18 Timothee Besset <address@hidden>
>>>
>>>> Hello,
>>>>
>>>> New user .. finding documentation very, very scarce ..
>>>>
>>>> Is there a way to specify login and password along with the hosts list?
>>>> I want to use fab to configure a fairly large number of machines with
>>>> different access settings.
>>>>
>>> One solution would be to use ssh connections with key (and then without
>>> managing login & password). It depends whether your architecture allows it
>>> or not.
>>> Not really a direct answer, sorry.
>>> Otherwise, did you look at sudo command, you should be able to use a login
>>> and maybe a password too.
>>> Hope it helps a little bit,
>>> Nicolas
>>> --
>>> Nicolas Steinmetz
>>> http://www.steinmetz.fr - http://www.unelectronlibre.info/
>>>
>>> _______________________________________________
>>> Fab-user mailing list
>>> address@hidden
>>> http://lists.nongnu.org/mailman/listinfo/fab-user
>>>
>>>
>>>
>
>
>
>
> _______________________________________________
> Fab-user mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/fab-user
>



-- 
Venlig hilsen / Kind regards,
Christian Vest Hansen.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]