Re: using ssh authentication with sudo



Well, when using ssh authentication I tend to ssh straight into root. I have my sshd daemons configured to only allow root login via keys, no passwords allowed, so it's pretty secure.

This amounts to the same thing as you are talking about if giving full root access (I am the admin after all) but in case you were trying to use sudo to grant elevated privs to just a few commands, then I would suggest looking at the pam for sudo and seeing if there is a module to allow key authentication.

The problem is that your key is usually stored on the machine you are connecting from, not on the remote machine itself (after all you don't want your keys lying around, eh?). This poses a problem in how sudo on the remote machine could use the private key on the local machine?

Not sure if anyone has tackled this, but the pams are where I'd start. Perhaps there is some module for pam somewhere that can help here, although I'm not sure what it is. Google is your friend I guess.


-h

Hari Sekhon



Eric S. Johansson wrote:
there is a number of ways I could be missing something obvious so I apologize in advance.

My idea is should be possible to grant sudo access with your ssh credentials. the logic is that once the server has granted access to a client based on its ssh keys, it should be possible to use the same authentication to grant sudo privileges. After all, if a key pair is good enough to get you into one machine, why isn't it good enough to grant you the full Monty?

Assuming that it is, how could a local program determine that the process it is running in has done so via ssh key authentication. Would it query the agent directly? Would it be able to use agent forwarding? Or is this a really bad idea that I should just give up on?

---eric