How-to
This is a short how-to in staging a SUDO master which is the - text file - repository where the pristine sources of all SUDO fragment files, management scripts and configuration files will be held.
The requirements for a SUDO master repository are almost negligible in terms of disk space and CPU resources. However, when triggering a key distribution process, a number of parallel SSH sessions will be spawned which will take up some system resources (see MAX_BACKGROUND_PROCS
setting in the manage_sudo.sh
script). By default this is set to 30.
In terms of network and firewall configurations: all SUDO controls client hosts must be reachable through SSH (standard port 22) from the SUDO master.
The basic steps to configure a SUDO master are (as root user):
- Add a dedicated OS group & user - for example
sudoadmin
- who will be the owner of the repository. The administrative account does not need a password (so lock it) but does require a valid shell:
- Create the repository:
- Create a SSH key pair for the
sudoadmin
user. This key pair will be used to authenticate on each of the SUDO controls client systems when doing an update. If you opt to create a key with passphrase then you must:- make sure you have a SSH agent process running on either SUDO master server or your the machine you are originally connecting from (with agent forwarding enabled).
- add this key to the running SSH agent. Failing to do will block any remote update process to client hosts.
- distribute the public key to all SUDO controls hosts. You can use SSH Controls for this purpose.
- Create the fragments repository with the rules that need to be distributed. You can choose to either store all rules in one big file or use a
fragments.d
directory with separate rule files. (see Master configuration files for more details):
- Create an initial version of the required master configuration files
Build/edit the grants
, alias
& targets
files to fit your environment.
- Copy the management scripts into the repository:
You may want to review the following settings in the manage_sudo.conf
or manage_sudo.conf.local
files, especially if you are not using the default /etc/sudo_master
& /etc/sudo_controls
paths:
Note: the REMOTE_DIR
& LOCAL_DIR
settings can also be specified as command-line parameters to the manage_sudo.sh
script.
- Copy or configure the client configuration file:
- Perform a syntax check on the configuration files:
Note: the build-in syntax check has limited capabilities. It will not catch all possible errors so CAVEAT EMPTOR.
Example repository
Following is a listing of what a SUDO master repository may look like:
Leave a comment