[nycbug-talk] Public-key sudo?

Matthew Story matt at tablethotels.com
Sun Jan 8 21:48:00 EST 2012


On Jan 8, 2012, at 9:37 PM, Bob Ippolito wrote:

> 
> 
> On Sun, Jan 8, 2012 at 5:30 PM, Jan Schaumann <jschauma at netmeister.org> wrote:
> Jason Hellenthal <jhell at dataix.net> wrote:
> 
> > I don't see an advantage here besides "I don't have to type my password".
> 
> For starters / in addition to what others have already said, you don't
> have to actually have to _have_ a password hash sitting on the server in
> question.  In some cases it's unacceptable to have your password hash be
> exposed to the host in question.
> 
> Well, the password hash could be safely sitting in an LDAP server somewhere.
> 
> The bigger issue is that the server that you're sudo-ing on gets your password in plaintext that could be snooped by a clever enough attacker with access to your pty or if they have superuser you've really lost because it would be even easier to get your password in plaintext by replacing the sudo binary or screwing with PAM.

if an attacker has access to a pty of your user ... even if you have password-less sudo, it would be simple enough for the attacker to write a sudo wrapper that throws an stty with a password prompt, and 99% of your users will follow their conditioning and type a password when sudo prompts for it, regardless of system setup.

password is a flawed protocol, we have the tech to fix it, but until the social conditioning of providing a secret when asked is broken, this is all pretty meaningless.

-matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20120108/bf25c067/attachment.htm>


More information about the talk mailing list