[nycbug-talk] Public-key sudo?
jhell at DataIX.net
Sat Jan 7 19:49:08 EST 2012
On Sat, Jan 07, 2012 at 04:06:52PM -0500, Edward Capriolo wrote:
> I am a little bit curious about what people view as the distinction between:
> Force public key SSH and sudo NOPASSWD and
> Sudo using SSHAgent.
> I am doing the former in my deployment. I do not understand what advantage
> having sudo do an SSH auth would bring.
I always find this to be amusing when people become lazy and do not want to type a password and would rather subvert the process by adding even more functionality that can be easily misunderstood and lead to breeches.
Sudo already has the ability to adjust timeouts and such...
Defaults timestamp_timeout = "180"
With the right mix you may be able to get away with NOPASSWD using a combination with a users host.
I don't see an advantage here besides "I don't have to type my password".
Maybe pam_ssh.so PAM module could assist with this also...
auth sufficient pam_ssh.so no_warn try_first_pass
session optional pam_ssh.so
> On Sat, Jan 7, 2012 at 2:47 PM, Jan Schaumann <jschauma at netmeister.org>wrote:
> > Bob Ippolito <bob at redivi.com> wrote:
> > > I'm trying to catch up on the past few years of what's been happening
> > with
> > > ops (ec2, puppet, chef, etc.) and I was wondering if public-key sudo has
> > > caught on at all?
> > Yahoo! recently started using a pam module to allow ssh-key
> > authentication for sudo(8):
> > http://pamsshagentauth.sourceforge.net/
> > I don't know if that is related to the project presented in 2008,
> > though.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 455 bytes
Desc: not available
More information about the talk