Open HOSTED-POWER opened 6 years ago
Hi @HOSTED-POWER Aker is designed intentionally to make you login as same user. The idea is, this is better for tracking and accountability. You can leverage sudo functionality to provide controlled privilege escalation capabilities to different users. You can setup sudoers files locally per your needs or use FreeIPA which provides a free, open source and centralized sudo capabilities that you can apply from a central location.
Hello Anazmy,
Thanks for your feedback, however this is very unfortunate for our use case where we absolutely don't want to add extra users to all of our systems for each user that log's into aker.
I see it could be done in the past, I really hope you could make it working again or this otherwise great looking tool becomes completely unusable for us :(
For some reason I didn't get an email update on last reply.
I think you are referring to the code before introducing user/host groups but now with proper segregation between entities such approach wont be possible, and like I mentioned it's counter intuitive for accountability as well.
If you want you can try changing the user
entries below in SSHClient.py
to root
to fit your purpose, but please be aware future directions will not account for this approach.
try:
logging.debug("SSHClient: Authenticating using key-pair")
transport.auth_publickey(user, auth_secret)
# Failed to authenticate with SSH key, so
# try a password instead.
except paramiko.ssh_exception.AuthenticationException:
logging.debug("SSHClient: Authenticating using password")
transport.auth_password(user, getpass.getpass())
self._start_session(transport)
I really appreciate your work and effort, but we don't like to depend on code patching.
I think supporting this by some parameter would still be the most flexible option for everyone. It couldn't be that hard and it would be fantastic if we could use your tool!
Please keep in mind that not all people have the same use cases and setups in mind. Could you imagine a large support team with 200 people. That would create multiple homes for all the staff which logs in I suppose? Not something one would like with a big team.
Furthermore we just want simple login as root and just keep it as simple as possible. I think the old method would have been perfect for us.
Is there anything we could do to get it supported? (I.e. some funding or code patches - although we're not familiar with python, so that would be quite hard)
Many thanks @HOSTED-POWER for your interest in the project. IMHO, the access-as-root or even as another user is not a secure practice and will not be added to Aker. Sorry for that. But, I understand your concerns and use case you mentioned, and the good news is there are already tools to handle such situation. Tools like FreeIPA provide a central dashboard to manage users, ssh-keys, passwords and home directories, and it is well integrated with Aker. Please check using FreeIPA for your use case.
And thanks for your offer for the support. Currently, there no funding options for the project.
Thanks for your reply, but just trying to understand: if I use freeipa, wouldn't it create users and at least home folders for each user using aker on each system one tries to login? Or would it allow for root login?
You can use FreeIPA in two ways.
1- Have home directories of users automatically created/mounted upon login, that will be a local homedir different on each server. 2- An even better option is to have homedirs auto-mounted (NFS) upon login if users require their files/homedirs to be available everywhere.
AFAIU the second option is what you're looking for.
logging in as root is not an option that FreeIPA facilitates.
The other option, which again, is NOT recommended (security reasons, blablabla), is add the user to sudoers file, and add to .bashrc "exec sudo -i" to automatically sudo to root upon login.
Hello Ramshield,
Thanks a lot for the hint! :)
We now put the whole idea on hold because it's not possible with Aker to provide root as default login with a key. A bit unfortunate since we would really like to use Aker :|
Hi,
We had the same issue, hence we came up with that solution. Works great, I suggest try it, because Aker really improved the quality of our lives managing a bunch of servers! Especially since tracking and logging is great.
Thanks for your feedback regarding the experience with Aker, that sounds very nice!
I'm also very happy we're not the only one requiring this useful feature :)
In our case we really prefer working with open source products (and paid products) where at least we can have some additional features when needed (fully) supported inside the product...
I'm aware this is not always easy and you cannot satisfy everyone, but we're a bit disappointed that this, for us, extremely important feature won't be supported at all. Even more so because at first sight I think it wouldn't be too hard to support it with the clearly outstanding programming skills of the developers of this project!
We currently setup aker, but we want the connecting user to be root and not the username who logged into aker. How would this be configured in aker.json?
We tried "username": "root", to the hosts definition, but it still uses the username.
PS: It would be even better if we could set root for all hosts as a default.