FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Server Development

 
 
LinkBack Thread Tools
 
Old 12-17-2008, 04:16 AM
Neal McBurnett
 
Default sudopk: sudo auth via ssh-agent - port to Ubuntu?

I like the standard use of sudo in Ubuntu, for logging, extra
security, etc. But it can be risky to type a password into a remote
machine for sudo, e.g. a remote server or EC2 virtual machine. If the
remote machine is compromised, the password could be exposed and that
might open up other machines to compromise.

Instead I'd like to get ssh-agent involved: sudo on the remote machine
can do a challenge-response via its ssh-agent socket to get the local
machine's ssh-agent to authenticate.

This was requested a few years ago at:

http://www.sudo.ws/pipermail/sudo-users/2006-February/002747.html

and I started thinking about it again given the EC2 beta.

I just found that the recent USENIX LISA conference had a paper on an
implementation of this for OpenBSD 4.2 using the BSD Authentication
framework, which is like PAM:

http://www.usenix.org/event/lisa08/tech/full_papers/burnside/burnside_html/index.html

An openbsd patch is at http://www.cs.columbia.edu/~mb/code/sudopk

Anyone up for porting that to Ubuntu, perhaps via PAM?

I've written one of the authors, Matthew Burnside, and he is happy to
help anyone who wants to do it, but won't have time to do so soon
himself.

Neal McBurnett http://neal.mcburnett.org/

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 01-17-2009, 02:38 PM
Neal McBurnett
 
Default sudopk: sudo auth via ssh-agent - port to Ubuntu?

For those that didn't see the initial conversation on either ec2-beta
or ubuntu-server, here is what I wrote:

On Tue, Dec 16, 2008 at 09:20:01PM -0700, Neal McBurnett wrote:
> I like the standard use of sudo in Ubuntu, for logging, extra
> security, etc. But it can be very risky to type a password into a
> remote machine for sudo, e.g. a remote server or EC2 virtual machine.
> If the remote machine is compromised, the password could be exposed
> and that might open up other machines to compromise.
>
> Instead I'd like sudo on the remote machine to do a challenge-response
> via the ssh-agent socket to get the local machine's ssh-agent to
> authenticate.
>
> This was requested a few years ago at:
>
> http://www.sudo.ws/pipermail/sudo-users/2006-February/002747.html
>
> and I started thinking about it again given the EC2 beta.
>
> I just found that the recent USENIX LISA conference had a paper on an
> implementation of this for OpenBSD 4.2 using the BSD Authentication
> framework, which is like PAM:
>
> http://www.usenix.org/event/lisa08/tech/full_papers/burnside/burnside_html/index.html
>
> An openbsd patch is at http://www.cs.columbia.edu/~mb/code/sudopk
>
> Anyone up for porting that to Ubuntu, perhaps via PAM?
>
> I've written the authors to inquire if they know of efforts to do it.

The author of the OpenBSD code, Matthew Burnside (CC'd here) responded
that he thought it would be pretty straightforward, but didn't have
time.

On Sat, Jan 17, 2009 at 12:36:47AM -0800, Jamie Beverly wrote:
>
> It's not a port of anything, I just wrote it. But I believe it is
what you are looking for.
>
> http://pamsshagentauth.sf.net/

I'm delighted to see that - thanks!

I think it can improve security on ec2, since typing passwords on a
possibly-compromised machine is a bad idea. And of course it can also
improve the user experience.

Cheers,

Neal McBurnett http://neal.mcburnett.org/

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 

Thread Tools




All times are GMT. The time now is 11:39 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org