[nycbug-talk] Public-key sudo?
mspitzer at gmail.com
Sat Jan 7 20:49:44 EST 2012
On Sat, Jan 7, 2012 at 8:29 PM, Pete Wright <pete at nomadlogic.org> wrote:
> On Sat, 07 Jan 2012 16:49:08 -0800, Jason Hellenthal <jhell at dataix.net>
>> On Sat, Jan 07, 2012 at 04:06:52PM -0500, Edward Capriolo wrote:
>>> I am a little bit curious about what people view as the distinction
>>> Force public key SSH and sudo NOPASSWD and
>>> Sudo using SSHAgent.
>>> I am doing the former in my deployment. I do not understand what
>>> having sudo do an SSH auth would bring.
>> I always find this to be amusing when people become lazy and do not want
>> to type a password and would rather subvert the process by adding even more
>> functionality that can be easily misunderstood and lead to breeches.
>> Sudo already has the ability to adjust timeouts and such...
>> Defaults timestamp_timeout = "180"
>> Defaults !tty_tickets
>> Defaults requiretty
>> Defaults mail_badpass
>> Defaults mail_no_host
>> Defaults mail_no_perms
>> Defaults mail_no_user
>> With the right mix you may be able to get away with NOPASSWD using a
>> combination with a users host.
>> I don't see an advantage here besides "I don't have to type my password".
>> Maybe pam_ssh.so PAM module could assist with this also...
>> auth sufficient pam_ssh.so no_warn
>> session optional pam_ssh.so
> michael lucas sum's up my thoughts on this pretty nicely:
> I have dozens of servers. They all have a central password provider (LDAP).
> They’re all secured, but I can’t guarantee that a script kiddie cannot crack
> them. This means I can’t truly trust my trusted servers. I really want to
> reduce how often I send my password onto a server. But I also need to
> require additional authentication for superuser activities, so using
> NOPASSWD in sudoers isn’t a real solution. By passing the sudo
> authentication back to my SSH agent, I reduce the number of times I must
> give my password to my hopefully-but-not-100%-certain-secure servers. I can
> also disable password access to sudo, so that even if someone steals my
> password, they can’t use it. (Yes, someone could possibly hijack my SSH
> agent socket, but that requires a level of skill beyond most script kiddies
> and raises the skill required for APT.)
> its the whole requiring an additional layer of security for sudo that i feel
> makes this a good solution. i really only feel NOPASSWORD is reserved for a
> last resort - for use by wrappers in automation scripts and the like.
isn't this taken care of with kerberos? you type your password in
once, for a configurable time period, and then the systems
authenticate against your temporary kerberos granted credentials.
Freedom is nothing but a chance to be better.
The problem with socialism is that eventually you run out
of other people's money.
Do the arithmetic or be doomed to talk nonsense.
More information about the talk