[nycbug-talk] Public-key sudo?

Bob Ippolito bob at redivi.com
Sun Jan 8 21:37:33 EST 2012


On Sun, Jan 8, 2012 at 5:30 PM, Jan Schaumann <jschauma at netmeister.org>wrote:

> Jason Hellenthal <jhell at dataix.net> wrote:
>
> > I don't see an advantage here besides "I don't have to type my password".
>
> For starters / in addition to what others have already said, you don't
> have to actually have to _have_ a password hash sitting on the server in
> question.  In some cases it's unacceptable to have your password hash be
> exposed to the host in question.


Well, the password hash could be safely sitting in an LDAP server somewhere.

The bigger issue is that the server that you're sudo-ing on gets your
password in plaintext that could be snooped by a clever enough attacker
with access to your pty or if they have superuser you've really lost
because it would be even easier to get your password in plaintext by
replacing the sudo binary or screwing with PAM.

-bob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20120108/85c09d54/attachment-0001.html>


More information about the talk mailing list