[nycbug-talk] Public-key sudo?
Marc Spitzer
mspitzer at gmail.com
Sat Jan 7 20:49:44 EST 2012
On Sat, Jan 7, 2012 at 8:29 PM, Pete Wright <pete at nomadlogic.org> wrote:
> On Sat, 07 Jan 2012 16:49:08 -0800, Jason Hellenthal <jhell at dataix.net>
> wrote:
>
>>
>>
>> On Sat, Jan 07, 2012 at 04:06:52PM -0500, Edward Capriolo wrote:
>>>
>>> I am a little bit curious about what people view as the distinction
>>> between:
>>>
>>> Force public key SSH and sudo NOPASSWD and
>>> Sudo using SSHAgent.
>>>
>>> I am doing the former in my deployment. I do not understand what
>>> advantage
>>> having sudo do an SSH auth would bring.
>>
>>
>> I always find this to be amusing when people become lazy and do not want
>> to type a password and would rather subvert the process by adding even more
>> functionality that can be easily misunderstood and lead to breeches.
>>
>> Sudo already has the ability to adjust timeouts and such...
>> Defaults timestamp_timeout = "180"
>> Defaults !tty_tickets
>> Defaults requiretty
>> Defaults mail_badpass
>> Defaults mail_no_host
>> Defaults mail_no_perms
>> Defaults mail_no_user
>>
>> With the right mix you may be able to get away with NOPASSWD using a
>> combination with a users host.
>>
>> I don't see an advantage here besides "I don't have to type my password".
>>
>> Maybe pam_ssh.so PAM module could assist with this also...
>>
>> auth sufficient pam_ssh.so no_warn
>> try_first_pass
>> session optional pam_ssh.so
>>
>>>
>
> michael lucas sum's up my thoughts on this pretty nicely:
>
> {quote}
> I have dozens of servers. They all have a central password provider (LDAP).
> They’re all secured, but I can’t guarantee that a script kiddie cannot crack
> them. This means I can’t truly trust my trusted servers. I really want to
> reduce how often I send my password onto a server. But I also need to
> require additional authentication for superuser activities, so using
> NOPASSWD in sudoers isn’t a real solution. By passing the sudo
> authentication back to my SSH agent, I reduce the number of times I must
> give my password to my hopefully-but-not-100%-certain-secure servers. I can
> also disable password access to sudo, so that even if someone steals my
> password, they can’t use it. (Yes, someone could possibly hijack my SSH
> agent socket, but that requires a level of skill beyond most script kiddies
> and raises the skill required for APT.)
> {quote}
>
> its the whole requiring an additional layer of security for sudo that i feel
> makes this a good solution. i really only feel NOPASSWORD is reserved for a
> last resort - for use by wrappers in automation scripts and the like.
>
isn't this taken care of with kerberos? you type your password in
once, for a configurable time period, and then the systems
authenticate against your temporary kerberos granted credentials.
marc
--
Freedom is nothing but a chance to be better.
--Albert Camus
The problem with socialism is that eventually you run out
of other people's money.
--Margaret Thatcher
Do the arithmetic or be doomed to talk nonsense.
--John McCarthy
More information about the talk
mailing list