Re: using ssh authentication with sudo



Actually, you're missing the most important piece of sudo.

People walk away from terminal sessions all the time. The point of the
authentication and timeout is to assure that the person executing the
sudo is actually the correct, authenticated person.

That's why sudo won't accept cached credentials. And I wouldn't do
anything to change that behavior. You might as well just log in with
UID 0 then.

Eric S. Johansson sent the following missive on 5/20/2007 11:17 AM:
there is a number of ways I could be missing something obvious so I
apologize in advance.

My idea is should be possible to grant sudo access with your ssh
credentials. the logic is that once the server has granted access to a
client based on its ssh keys, it should be possible to use the same
authentication to grant sudo privileges. After all, if a key pair is
good enough to get you into one machine, why isn't it good enough to
grant you the full Monty?

Assuming that it is, how could a local program determine that the
process it is running in has done so via ssh key authentication. Would
it query the agent directly? Would it be able to use agent forwarding?
Or is this a really bad idea that I should just give up on?

---eric


--
Justin Bradford Alcorn
justin@xxxxxxxxxxx
http://jalcorn.net
PGP Fingerprint A36D D691 C5B0 BE15 5A2A AF49 AA1C 372C



Relevant Pages

  • OSX - trojan apps can bypass authentication controls and gain root privilages
    ... OSX can be root compromised by a trojan application. ... application does not require explicit user authentication to elevate its ... or by another application that leverages sudo to elevate it's privileges. ...
    (Bugtraq)
  • Re: Enabling telnet, ftp, pop3 for root...
    ... intermediate account in your case. ... authentication mechanisms and log into root directly. ... better means of authentication than passwords for that account. ... I'd rather see people using sudo. ...
    (alt.os.linux)
  • sudo - mail_always in sudoers file breaks crontab
    ... I check and root could still edit the crontab - sudo crontab - l worked ... Syslog priority to use when user authenticates unsuccessfully: ... Set the LOGNAME and USER environment variables ... Authentication timestamp timeout: 5 minutes ...
    (SunManagers)
  • Re: Sudo w/Ticket Support
    ... } Subject: Sudo w/Ticket Support ... enforcing user immediacy at the time of the security transition ... service ticket is passed to the SSHD daemon. ... Kerberized authentication for sudo. ...
    (comp.protocols.kerberos)
  • Sudo: local root compromise with krb5 enabled
    ... The 'sudo' package can be built to use Kerberos 5 for authentication ... Use the user's password to get a ticket from the KDC (Kerberos ...
    (Bugtraq)