[nycbug-talk] Public-key sudo?
ike at blackskyresearch.net
Sun Jan 8 12:08:22 EST 2012
On Jan 8, 2012, at 12:23 AM, Edward Capriolo wrote:
> You can tell people to lock their SSH keys keys with a password and store them on an encrypted drive, but counting on users is something I never do.
> People can strip the password encoded off a key, or chose to use some what ssh client that stores the key password in a non encrypted file.
Agreed, it's nearly a lost cause in the real world to trust this- even with extremely well-intentioned users.
Per my sentiment earlier in this thread, separating trust/responsability is importnant.
Trusting fellow Administrators to perform this basic task is something I've come to depend on, yet I agree, nearly impossible to expect of everyone with shells in an organization.
Policy here is easy to roll out and enforce: create a culture of understanding *why* we all make sure we use ssh key passwords, (and don't store the password in silly places).
What I find more fascinating, is that most developers and unix users *need* root/sudo to do our jobs these days, (hence the popularity of virtualized servers in various forms). From installing software, to restarting services- so much is so big and brittle. (When was the last time anyone tried to install some software package to their home directory, on a box where they did not have root/sudo privs?)
Lots of this 'web-scale' software I've worked with in the last year is just so messy it's nearly impossible to work with it outside of this paradigm- frustrating.
> I used to like LDAP and Kerberos but a high percentage of admins hate LDAP auth. People who know LDAP and/or Kerberos are a serious minority. I have had the fight multiple times (the infamous LDAP is more more thing to break) argument. So I have moved on with my life.
> My argument is: I use SSH keys because the client server interaction is not based on short text strings that are easy to give away. I can push out keys to appropriate servers and control access.
> I definitely understand why people do not like NOPASSWD, but I just do not get having a password for sudo when it does not take one to get into the system. I do not count the password the user chose to lock there key as a password.
This whole thread didn't yet touch the 'muscle memory kills' problem which sudo w passwords mitigates, (e.g. the annoying pause before doing something potentially destructive, afforded by having to remember/type a password).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the talk