- Naming conventions
- Security considerations
Attribute host in
aeHost entries should contain
the canonical hostname returned by command
- Ideally make sure that the left-most DNS label of the canonical hostname is globally unique and in case of virtual machine matches the dom name.
- In any case provide a globally unique machine name added to attribute cn in aeHost entry.
- If you plan to use X.509 TLS client certs for host authentication make sure to put the canonical hostname in the certificate's subject DN.
In general Æ-DIR's access control does not care about DNS names at all. But still it's good practice to choose well-formed DNS names for Æ-DIR servers possibly following conventions similar like these:
User group names
Service group names
Using tool/service accounts (aeService)
Some general recommendations if you really cannot avoid using tool/service accounts acting as clients:
- Add an aeService entry with attribute sshPublicKey and do not use passwords.
- Use separate aeService entries with different SSH private keys for your different environments and service instances. This avoids having to shut-down all your tools in case a widely used private key was compromised.
Set login shell to
/bin/trueif shell access with invoking commands is not needed.
- Use fine-grained ownership/permissions for all files to be accessed.
- Avoid using sudo for tool accounts!
If you cannot avoid using sudo:
Never ever give such a "tool user" simply full root access!
Rather grant the minimum required rights by defining fine-grained sudoers rules.
- For this add a separate aeGroup entry used by specific aeSudoRule.
If you set attribute
sudoOptions: !authenticatefor password-less sudo then take care that this particular rule cannot be used by personal user accounts!
- Never ever give such a "tool user" simply full root access!
- Consider limiting SSH commands by ForceCommand in the host's sshd_config.
Consider setting the client's IP address(es) in attribute
aeRemoteHost in the tool's aeService entry.
This results in key option
from=..being added by
search_authorized_keys.pyto the authorized key which restricts the usage of the private key to these address(es) (see sshd(8), section "AUTHORIZED KEYS FILE FORMAT").