How to make root to a SDM admin user

The basic security infrastructure of a Hedeby system is created during the execution of the sdmadm install_master_host command. It creates private keys for the CA, for all daemons and for the sdm_admin user. However the root user is not an admin user. The private keys and certifcates are not created automatically. Hence this user can not use sdmadm commands without password.

However it is possible to create the certificates and private keys manually.

  • First off all user root must be an admin user. Only admin users can access the Hedeby system. This step has to be executed as sdm_admin user.

      # su - sdm_admin
      % sdmadm add_admin_user -au root
      Admin user "root" added
      %
    

    After adding the user root to the admin user list, root can invoke any sdmadm command if the global option -ppw (prompt password) is specified. sdmadm will ask interactively for username and password.

  • For password less authentication the private keys and certificate for user root must be created. This can be done with the sdmadm add_admin_user_cert command. This command can now be executed as user root, it is an admin user. However a password must be provided:

      # sdmadm -ppw add_admin_user_cert -e root@foo.bar -au root
      username [root] >>
      password >
      Private key and certificate for user, root, succesfully created
      
  • The private credentials and the certificate for the user root has now been created. The are known in the certificate authority on the master host. The final step is exporting this information into a keystore and transfer it to the host where root wants invoke the sdmadm command:

      # sdmadm -ppw update_keystore -n root -t user
      username [root] >
      password >
      The specified keystore has been exported to the file /var/spool/sdm/s1/security/users/root.keystore
      
The keystore has been stored on the local file system. sdmadm knows the default location of the keystore and will this keystore for authentication. The keystore itself is protected with file permissions. Only user root has access to it:
# cd var/spool/sdm/s1/security/users
# ls -l 
total 8
-rw------- 1 sdm_admin root 3083 2008-06-24 13:25 sdm_admin.keystore
-rw------- 1 root      root 3073 2008-06-27 10:33 root.keystore
Comments:

Post a Comment:
Comments are closed for this entry.
About

rhierlmeier

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today