Privileged access on GD nodes

It is important to improve the protection, control and the tracability of the root logins for the GD group. This is partly why SSH gateways have been configured. This page describes the procedure to request root access on some nodes, and also from where this access can be used.

Requesting root access

Access requests can be sent to Yvan Calas or Romain Wartel.

In order to obtain root access, you must justify a professional requirement to do so. You must also justify why a standard unprivileged access is not sufficient to accomplish your task.

Please note root access will be granted by default to the nominated service managers and service experts.

Privileged access to all the production nodes will be automatically done using a small RPM (gd-auth), which will add the SSH public keys of authorised users and their AFS login to the root account. This RPM, works is a similar way to the local firewall tool. In practice, the behaviour will be the same than with Quattor: each change to the root credentials must be centrally managed or will be automatically removed.

Connecting as root

As recent experiences demonstrated, there are clear security benefits in using dedicated and trusted hosts to access the Grid systems. It is highly recommended to use GD SSH gateways to protect the Grid hosts and your credentials. From these gateways, you can conveniently gain root access on Grid systems. Please note that the gateways are also available from outside CERN.

In addition to this, authorized users can also register their favorite desktop IP address to gain direct access to the Grid hosts.

No SSH connections will be permitted on Grid systems from other random hosts.

Benefits

Using such a policy will add a significant layer of protection around on the Grid systems, provide the group with an appropriate level of privileged access tracability, and also ease the management of compromised SSH keys.

-- Romain Wartel - 21 Nov 2006

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2007-02-16 - YvanCalas
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback