dorileo
commented
11 months ago Why not disable via metadata? Are you considering disabling sshd config management only? Or are you also considering the disabling config management of pam modules?
Open ericnorris opened 11 months ago
dorileo
commented
11 months ago Why not disable via metadata? Are you considering disabling sshd config management only? Or are you also considering the disabling config management of pam modules?
ericnorris
commented
11 months ago Hey @dorileo! At Etsy, developers are free to spin up infrastructure as they wish, for the most part. This means that someone could enable OS Login via the metadata, which would conflict with the sssd, etc. configuration that we've deployed via our configuration management tool. There may be ways for us to prevent that via policy, but we're not in a position to do that at the moment.
Ideally I'd like this flag to disable all configuration management, if we wanted to enable OS Login we'd configure sshd, PAM, etc. on our own.
It's possible to disable the "accounts daemon" via the
accounts_daemonconfiguration setting, but as far as I can tell there is no way to disable OS Login via configuration. Ifenable-osloginis present in the metadata, theguest-agentwill immediately make changes tosshd, etc.We manage
sshdand other system-level configuration options, and would like to have direct control over modifications to those files. Right now we're not using OS Login, but even if we were, I think we'd still prefer to make the necessary changes, in order to avoid having the guest agent and our configuration management tool fight each other.I'm not tied to
oslogin_daemonas an option specifically, but some way of ensuring that the guest agent doesn't modify the system configuration would be ideal.