[nycbug-talk] Public-key sudo?

Pete Wright pete at nomadlogic.org
Sat Jan 7 20:29:24 EST 2012

On Sat, 07 Jan 2012 16:49:08 -0800, Jason Hellenthal <jhell at dataix.net>  

> On Sat, Jan 07, 2012 at 04:06:52PM -0500, Edward Capriolo wrote:
>> I am a little bit curious about what people view as the distinction  
>> between:
>> Force public key SSH and sudo NOPASSWD and
>> Sudo using SSHAgent.
>> I am doing the former in my deployment. I do not understand what  
>> advantage
>> having sudo do an SSH auth would bring.
> I always find this to be amusing when people become lazy and do not want  
> to type a password and would rather subvert the process by adding even  
> more functionality that can be easily misunderstood and lead to breeches.
> Sudo already has the ability to adjust timeouts and such...
> Defaults        timestamp_timeout = "180"
> Defaults        !tty_tickets
> Defaults        requiretty
> Defaults        mail_badpass
> Defaults        mail_no_host
> Defaults        mail_no_perms
> Defaults        mail_no_user
> With the right mix you may be able to get away with NOPASSWD using a  
> combination with a users host.
> I don't see an advantage here besides "I don't have to type my password".
> Maybe pam_ssh.so PAM module could assist with this also...
> auth           sufficient      pam_ssh.so              no_warn  
> try_first_pass
> session        optional        pam_ssh.so

michael lucas sum's up my thoughts on this pretty nicely:

I have dozens of servers. They all have a central password provider  
(LDAP). They’re all secured, but I can’t guarantee that a script kiddie  
cannot crack them. This means I can’t truly trust my trusted servers. I  
really want to reduce how often I send my password onto a server. But I  
also need to require additional authentication for superuser activities,  
so using NOPASSWD in sudoers isn’t a real solution. By passing the sudo  
authentication back to my SSH agent, I reduce the number of times I must  
give my password to my hopefully-but-not-100%-certain-secure servers. I  
can also disable password access to sudo, so that even if someone steals  
my password, they can’t use it. (Yes, someone could possibly hijack my SSH  
agent socket, but that requires a level of skill beyond most script  
kiddies and raises the skill required for APT.)

its the whole requiring an additional layer of security for sudo that i  
feel makes this a good solution.  i really only feel NOPASSWORD is  
reserved for a last resort - for use by wrappers in automation scripts and  
the like.


Pete Wright
pete at nomadlogic.org

More information about the talk mailing list