[nycbug-talk] Public-key sudo?

Edward Capriolo edlinuxguru at gmail.com
Sat Jan 7 20:25:31 EST 2012 

It isn't lazyness. When I was "sold" on SSH keys the concept was that
passwords are hard to rotate and not safe because people write them down on
napkins, share them, etc. So since I have "bought into" this philosophy it
seems contradictory to me to have sudo use a password.

On Sat, Jan 7, 2012 at 7:49 PM, Jason Hellenthal <jhell at dataix.net> wrote:

>
>
> On Sat, Jan 07, 2012 at 04:06:52PM -0500, Edward Capriolo wrote:
> > I am a little bit curious about what people view as the distinction
> between:
> >
> > Force public key SSH and sudo NOPASSWD and
> > Sudo using SSHAgent.
> >
> > I am doing the former in my deployment. I do not understand what
> advantage
> > having sudo do an SSH auth would bring.
>
> I always find this to be amusing when people become lazy and do not want
> to type a password and would rather subvert the process by adding even more
> functionality that can be easily misunderstood and lead to breeches.
>
> Sudo already has the ability to adjust timeouts and such...
> Defaults        timestamp_timeout = "180"
> Defaults        !tty_tickets
> Defaults        requiretty
> Defaults        mail_badpass
> Defaults        mail_no_host
> Defaults        mail_no_perms
> Defaults        mail_no_user
>
> With the right mix you may be able to get away with NOPASSWD using a
> combination with a users host.
>
> I don't see an advantage here besides "I don't have to type my password".
>
> Maybe pam_ssh.so PAM module could assist with this also...
>
> auth           sufficient      pam_ssh.so              no_warn
> try_first_pass
> session        optional        pam_ssh.so
>
> >
> > On Sat, Jan 7, 2012 at 2:47 PM, Jan Schaumann <jschauma at netmeister.org
> >wrote:
> >
> > > Bob Ippolito <bob at redivi.com> wrote:
> > > > I'm trying to catch up on the past few years of what's been happening
> > > with
> > > > ops (ec2, puppet, chef, etc.) and I was wondering if public-key sudo
> has
> > > > caught on at all?
> > >
> > > Yahoo! recently started using a pam module to allow ssh-key
> > > authentication for sudo(8):
> > >
> > > http://pamsshagentauth.sourceforge.net/
> > >
> > > I don't know if that is related to the project presented in 2008,
> > > though.
> > >
>
> --
> ;s =;
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20120107/e479ba0e/attachment.html>

More information about the talk mailing list