manage_sudo.sh script
This script only has one client configuration file which is either manage_ssh.conf or manage_ssh.conf.local. The latter can be used as a local override. Typically this configuration can be the same across an entire server park if you have a homogeneous environment. Following settings should be defined for example:
# name of the user account performing the SUDO controls copies
# (leave blank for current user)
SUDO_TRANSFER_USER=""
# name of the OS group that should own the SUDO controls files
SUDO_OWNER_GROUP="sudoadmin"
# whether a 'chmod' needs to be executed after each sftp transfer [0=Yes; 1=No]
DO_SFTP_CHMOD=0
# extra arguments/options for the SFTP command
SFTP_ARGS="-o StrictHostKeyChecking=no -o ConnectTimeout=10 -b - "
# extra arguments/options for the SSH command
SSH_ARGS="-o StrictHostKeyChecking=no -o ConnectTimeout=10 -n"
# location of the local SUDO controls directory
LOCAL_DIR="/etc/sudo_master"
# location of the remote SUDO controls directory
REMOTE_DIR="/etc/sudo_controls/holding"
# name of the user account performing the SUDO controls update
# (leave blank for current user but user should have remote sudo root privs)
SUDO_UPDATE_USER=""
# options to pass to manage_ssh.sh when executing a key update
SUDO_UPDATE_OPTS="--verbose --remove"
# path to the visudo tool
VISUDO_BIN="/usr/sbin/visudo"
# path to the ssh-keyscan too
SSH_KEYSCAN_BIN="/usr/bin/ssh-keyscan"
# extra arguments/options for the ssh-keyscan command
# by default -f <file> is used by manage_sudo.sh to supply hostnames, do not add here
SSH_KEYSCAN_ARGS="-t rsa"
# whether to start an SSH agent process for the master->client operations [0=No; 1=Yes]
DO_SSH_AGENT=0
# location of the SSH private key that should be added to the SSH agent process
# must be a passphrase-less key (required when using DO_SSH_AGENT)
SSH_PRIVATE_KEY="$HOME/.ssh/id_rsa"
# maximum number of background process to spawn (~maxuprc, ~nstrpty etc)
MAX_BACKGROUND_PROCS=30
# location of the backup directory (for configuration & key files)
BACKUP_DIR="${LOCAL_DIR}/backup"
# location of log directory (default), see --log-dir)
LOG_DIR="/var/log"update_sudo.pl script
This script also only has one client configuration file which is either update_sudo.conf or update_sudo.conf.local. The latter can be used as a local override. Typically this configuration can be the same across an entire server park if you have a homogeneous environment. Following settings should be defined for example:
# use short hostnames or FQDN (0=short names; 1=FQDN) [default: 0]
use_fqdn=1
# target directory for sudo fragment files
fragments_dir=/etc/sudo_controls/sudoers.d
# path to the visudo tool
visudo_bin=/usr/sbin/visudo
# file name of the immutable 'self' sudo fragment (w/o path)
immutable_self_file=sudo_update
# sudo rule for the immutable 'self' fragment (to run the sudo_update.pl script)
immutable_self_cmd=sudoadmin ALL=(root) NOPASSWD:/etc/sudo_controls/holding/update_sudo.plIf /etc/sudo_controls is the path to the local SSH controls repository on all your client systems, then you can leave this file as-is. Keep in mind that the update_sudo.conf file will be always be copied from the SUDO master when distributing fragments. To specify a truly local configuration for certain hosts, you can use the local override update_sudo.conf.local file.
Comments