[nycbug-talk] Public-key sudo?

Isaac Levy ike at blackskyresearch.net
Sun Jan 8 12:08:22 EST 2012

On Jan 8, 2012, at 12:23 AM, Edward Capriolo wrote:

> You can tell people to lock their SSH keys keys with a password and store them on an encrypted drive, but counting on users is something I never do.
> People can strip the password encoded off a key, or chose to use some what ssh client that stores the key password in a non encrypted file. 

Agreed, it's nearly a lost cause in the real world to trust this- even with extremely well-intentioned users.

Per my sentiment earlier in this thread, separating trust/responsability is importnant.
Trusting fellow Administrators to perform this basic task is something I've come to depend on, yet I agree, nearly impossible to expect of everyone with shells in an organization.
Policy here is easy to roll out and enforce: create a culture of understanding *why* we all make sure we use ssh key passwords, (and don't store the password in silly places).

What I find more fascinating, is that most developers and unix users *need* root/sudo to do our jobs these days, (hence the popularity of virtualized servers in various forms).  From installing software, to restarting services- so much is so big and brittle.  (When was the last time anyone tried to install some software package to their home directory, on a box where they did not have root/sudo privs?)

Lots of this 'web-scale' software I've worked with in the last year is just so messy it's nearly impossible to work with it outside of this paradigm- frustrating.

> I used to like LDAP and Kerberos but a high percentage of admins hate LDAP auth.  People who know LDAP and/or Kerberos are a serious minority. I have had the fight multiple times (the infamous LDAP is more more thing to break) argument. So I have moved on with my life.
> My argument is: I use SSH keys because the client server interaction is not based on short text strings that are easy to give away. I can push out keys to appropriate servers and control access. 
> I definitely understand why people do not like NOPASSWD, but I just do not get having a password for sudo when it does not take one to get into the system. I do not count the password the user chose to lock there key as a password.

This whole thread didn't yet touch the 'muscle memory kills' problem which sudo w passwords mitigates, (e.g. the annoying pause before doing something potentially destructive, afforded by having to remember/type a password).



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20120108/94febf5f/attachment.html>

More information about the talk mailing list