We’ve just migrated a set of Centos6/7 hosts from pure OpenLDAP
based authentication to IPA
and Kerberos. What surprised us is that a local root user on an IPA enrolled host can use ‘su’ to become an IPA
user.
If the chosen IPA
user is currently logged in, the “local root” can use the IPA
users Kerberos credentials to move around hosts in the domain as the IPA
user. Kerberos ticket forwarding allows the local root user to assume the IPA
users identity on any permitted host in the field until it can no longer renew the Kerberos ticket (7 days by default)
It feels like a backward step. We have developers who need root on test vm’s
If an IPA
admin happens to be logged into the test VM, then the developer can sudo su
to the IPA
admin and then log into the IPA
servers with Kerberos delegation. They can then make changes to the IPA
servers, all without ever needing the IPA
users' password.
I can see how the Linux security model allows this, but it feels like a flawed situation.
Is there any way to safely have local admins that aren't domain admins? (Even if it only applies to Centos7
hosts. Centos6 is on the way out here)