[Tfug] using ssh key for sudo auth?
thewoolleyman at gmail.com
Thu May 10 01:15:56 MST 2007
I think it is timing out correctly, I was probably confused.
However, there is another issue to be aware of. I didn't realize this
was looking at the PASSPHRASE of your PRIVATE keys on the local
userid, not the public key you authenticated with.
By default, the /etc/pam.d/pam-ssh-auth looks at all the standard
private key filenames - id_dsa, id_rsa, etc.
This means that if you enable this, any no-passphrase private key for
the current user will allow no-passphrase sudo access. Even if you
type an incorrect passphrase, it will still allow sudo.
I got around this by manually changing pam-ssh-auth to only check the
keyfile that I care about. I have to have no-passphrase keys for
automated code deployment, backups, and such. It would be better to
not have a default-named no-passphrase key at all, and instead give it
a custom name, and then explicitly specify the keyfile name for a
specific host in the ssh config file using IdentityFile.
Anyway, PAM is definitly going to do what I wanted, after I fix all
the bad security practices I was doing already :). Thanks again.
On 5/9/07, Stephen Hooper <stephen.hooper at gmail.com> wrote:
> Maybe if you don't do that, but instead edit the same file
> ("/etc/pam.d/sudo"), and just put in the "auth" line, and not the
> "session" line it will timeout.
> Without seeing your file I cannot say for sure (and I have never used
> this product), but mine looks like this:
> auth include system-auth
> account include system-auth
> password include system-auth
> session include system-auth
> What I would do, would be add a line at the very top:
> "auth required pam_ssh"
> That way keys aren't getting added to the agent. The problem may
> still be if a key is added to the agent (for example you doing it
> manually) it may still not timeout.
> On 5/9/07, Chad Woolley <thewoolleyman at gmail.com> wrote:
> > There was one additional step required. I had to edit
> > /etc/pam.d/sudo, and add this as the first include:
> > @include pam-ssh-auth
> > Then is uses my ssh passphrase. It still doesn't timeout like normal
> > sudo, though...
> > -- Chad
> > On 5/9/07, Chad Woolley <thewoolleyman at gmail.com> wrote:
> > > Stephen,
> > >
> > > PAM was exactly what I needed. I ran this:
> > >
> > > sudo apt-get install libpam-ssh
> > >
> > > And now I can sudo without a password after authenticating via ssh
> > > with my key. Thanks!!!!
> > >
> > > -- Chad
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
More information about the tfug