| Author |
Message
|
| mcouture |
 Posted: Thu Jul 20, 2023 6:54 am Post subject: disable logins to mqm user on Linux |
 |
|
Newbie
Joined: 13 Oct 2010
Posts: 3
|
Can we disable interactive logins to the mqm user?
Do we need to su to mqm for any reason or can personal IDs run all necessary admin commands (being members of group mqm)? |
|
| Back to top |
|
 |
| gbaddeley |
| Posted: Sun Jul 23, 2023 4:06 pm Post subject: Re: disable logins to mqm user on Linux |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| mcouture wrote: |
Can we disable interactive logins to the mqm user?
Do we need to su to mqm for any reason or can personal IDs run all necessary admin commands (being members of group mqm)? |
Disable interactive login - Yes
Use su - Yes - Actually, use sudo
Some MQ admin commands will result in MQ processes running as the current userid, or create MQ authority profiles for current userid. 
To avoid any issues, we always "sudo -u mqm -l", with no password required, and run admin commands from an mqm shell.
_________________
Glenn |
|
| Back to top |
|
|
| mcouture |
| Posted: Mon Jul 24, 2023 6:01 am Post subject: |
|
|
Newbie
Joined: 13 Oct 2010
Posts: 3
|
Thank you. I "knew" it was possible but our Unix team has "officially" stated that disabling interactive logins AND having sudo available is not possible.
Everywhere I've supported MQ we've done it this way. I think I had one place that had us do MQ admin work with our personal IDs but cannot remember....long long ago...
I am having a meeting with that team this week.... |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Mon Jul 24, 2023 4:08 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| mcouture wrote: |
| Thank you. I "knew" it was possible but our Unix team has "officially" stated that disabling interactive logins AND having sudo available is not possible... |
From a security perspective, it does not make sense to not allow sudo to mqm without a password, when it is required to properly maintain and operate MQ. What are they concerned about?
| Code: |
> sudo -l
User xxxxxxxx may run the following commands on yyyyyyy:
(mqm) NOPASSWD: ALL
|
_________________
Glenn |
|
| Back to top |
|
|
| mcouture |
| Posted: Tue Jul 25, 2023 4:33 am Post subject: |
|
|
Newbie
Joined: 13 Oct 2010
Posts: 3
|
| yes, there is the right way , the wrong way and "the way we do it" way....haha |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jul 25, 2023 7:58 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| gbaddeley wrote: |
| mcouture wrote: |
| Thank you. I "knew" it was possible but our Unix team has "officially" stated that disabling interactive logins AND having sudo available is not possible... |
From a security perspective, it does not make sense to not allow sudo to mqm without a password, when it is required to properly maintain and operate MQ. What are they concerned about?
| Code: |
> sudo -l
User xxxxxxxx may run the following commands on yyyyyyy:
(mqm) NOPASSWD: ALL
|
|
color me right there somewhere but doesn't sudo require the password of the user issuing the command? 
Passwordless ssh to mqm can be done with ssh keys (RDQM) and I expect those would be secure...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Jul 26, 2023 12:15 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Out of curiosity, have your internal/external auditors approved password-less sudo?
Out of curiosity, do you allow root login without a password?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Wed Jul 26, 2023 5:14 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| bruce2359 wrote: |
| Out of curiosity, have your internal/external auditors approved password-less sudo? |
Yes, for specific sudo actions (eg. sudo -u mqm -l).
It is an approved way of working for all our UNIX product support teams, that team members can sudo from their team role userids (eg. MQ admin) to their service userids.
We have team role userids, rather than personal, and don't need a password for login to each server. The magic of CyberArk privileged access. It has single sign on with 2FA. Log in once in the morning. No further use of passwords to access any UNIX servers.
| Quote: |
| Out of curiosity, do you allow root login without a password? |
I don't know, probably not. MQ admins do not have root access.
_________________
Glenn |
|
| Back to top |
|
|
|
|
