[nycbug-talk] Public-key sudo?

Jason Hellenthal jhell at DataIX.net
Sat Jan 7 19:49:08 EST 2012 


On Sat, Jan 07, 2012 at 04:06:52PM -0500, Edward Capriolo wrote:
> I am a little bit curious about what people view as the distinction between:
> 
> Force public key SSH and sudo NOPASSWD and
> Sudo using SSHAgent.
> 
> I am doing the former in my deployment. I do not understand what advantage
> having sudo do an SSH auth would bring.

I always find this to be amusing when people become lazy and do not want to type a password and would rather subvert the process by adding even more functionality that can be easily misunderstood and lead to breeches.

Sudo already has the ability to adjust timeouts and such...
Defaults        timestamp_timeout = "180"
Defaults        !tty_tickets
Defaults        requiretty
Defaults        mail_badpass
Defaults        mail_no_host
Defaults        mail_no_perms
Defaults        mail_no_user

With the right mix you may be able to get away with NOPASSWD using a combination with a users host.

I don't see an advantage here besides "I don't have to type my password".

Maybe pam_ssh.so PAM module could assist with this also...

auth           sufficient      pam_ssh.so              no_warn try_first_pass
session        optional        pam_ssh.so

> 
> On Sat, Jan 7, 2012 at 2:47 PM, Jan Schaumann <jschauma at netmeister.org>wrote:
> 
> > Bob Ippolito <bob at redivi.com> wrote:
> > > I'm trying to catch up on the past few years of what's been happening
> > with
> > > ops (ec2, puppet, chef, etc.) and I was wondering if public-key sudo has
> > > caught on at all?
> >
> > Yahoo! recently started using a pam module to allow ssh-key
> > authentication for sudo(8):
> >
> > http://pamsshagentauth.sourceforge.net/
> >
> > I don't know if that is related to the project presented in 2008,
> > though.
> >

-- 
;s =;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20120107/77e3b512/attachment.bin>

More information about the talk mailing list