[nycbug-talk] Public-key sudo?
edlinuxguru at gmail.com
Sat Jan 7 20:25:31 EST 2012
It isn't lazyness. When I was "sold" on SSH keys the concept was that
passwords are hard to rotate and not safe because people write them down on
napkins, share them, etc. So since I have "bought into" this philosophy it
seems contradictory to me to have sudo use a password.
On Sat, Jan 7, 2012 at 7:49 PM, Jason Hellenthal <jhell at dataix.net> wrote:
> On Sat, Jan 07, 2012 at 04:06:52PM -0500, Edward Capriolo wrote:
> > I am a little bit curious about what people view as the distinction
> > Force public key SSH and sudo NOPASSWD and
> > Sudo using SSHAgent.
> > I am doing the former in my deployment. I do not understand what
> > having sudo do an SSH auth would bring.
> I always find this to be amusing when people become lazy and do not want
> to type a password and would rather subvert the process by adding even more
> functionality that can be easily misunderstood and lead to breeches.
> Sudo already has the ability to adjust timeouts and such...
> Defaults timestamp_timeout = "180"
> Defaults !tty_tickets
> Defaults requiretty
> Defaults mail_badpass
> Defaults mail_no_host
> Defaults mail_no_perms
> Defaults mail_no_user
> With the right mix you may be able to get away with NOPASSWD using a
> combination with a users host.
> I don't see an advantage here besides "I don't have to type my password".
> Maybe pam_ssh.so PAM module could assist with this also...
> auth sufficient pam_ssh.so no_warn
> session optional pam_ssh.so
> > On Sat, Jan 7, 2012 at 2:47 PM, Jan Schaumann <jschauma at netmeister.org
> > > Bob Ippolito <bob at redivi.com> wrote:
> > > > I'm trying to catch up on the past few years of what's been happening
> > > with
> > > > ops (ec2, puppet, chef, etc.) and I was wondering if public-key sudo
> > > > caught on at all?
> > >
> > > Yahoo! recently started using a pam module to allow ssh-key
> > > authentication for sudo(8):
> > >
> > > http://pamsshagentauth.sourceforge.net/
> > >
> > > I don't know if that is related to the project presented in 2008,
> > > though.
> > >
> ;s =;
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the talk