1

This has bugged me for some years now. I had a small webserver and I used ssh to log in remotely. I noticed that from the very first day there were brute force attacks to my ssh.

This made me think about security and I realised that if a system has users in sudoers, a successful ssh attack to such user account is game over immediately. Why is there no option to set a different password for sudo? I can't be the first person who thought of that, right?

tst
  • 123
  • 4

2 Answers2

4

First, not all attacks require to know the password. Many attacks against services (or daemons) target vulnerabilities in code and end in executing code on behalf of a user without knowing the password. In that case, the default sudo configuration adds security by requiring the knowledge of the password.

Another example in a multi-user environment is when a user leaves his terminal unattended (you and I know that it is bad and never do it ourselves, but...) an attacker can execute commands on behalf of the user but still cannot use sudo.

Finally, as you speak of ssh, the common use is to only use a (RSA) key for user authentication. That way, the ssh connection never use the password, which is only used for a direct local connection or to gain root access via sudo. It can even be forced by disabling the use of the password in sshd configuration. In the case of a remote server, the local user password is then indeed only used to gain root access.

But the real answer to your question is the option does exist! The /etc/sudoers file can be used to declare the boolean flag rootpw. If this flag is set, the password shall be the password for root instead of the password for the current user.

If the sudoers contains the line:

Defaults rootpw

then you will be asked for the root password. This flag is off by default and is seldom used because it is not really sudo philosophy but su one: if you do know the password for root, you can directly use su by-passing all additional sudo controls.

sudo is indeed a highly versatile command, and you really should read man sudoers

Xiong Chiamiov
  • 9,384
  • 2
  • 34
  • 76
Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • Ah, yes, I know of this option. I was wondering why there is no option to use a different password for each user. – tst Jun 06 '17 at 15:00
  • @tst: because with ssh only access with keys, the user password is only used for root access... – Serge Ballesta Jun 06 '17 at 15:17
2

This is simple.

  1. You can limit who can sudo through the use of the sudoers file.
  2. you should ALWAYS set your ssh to only accept Public/Private key connections (e.a. use a key file!)
  3. a different password would do offer 0 additional security, as its just as easy to do nasty things to retrieve it as soon as you got user access. (basically make you give your password to them)
  4. Most SSH-servers have some form of brute-force protection in place. limiting the amount of tries any IP gets. When this is in place the chance to actually guess the password is quite narrow.
  5. nearly all of those attempts are scripts and they want to try to use other means to elevate permission than a password.

Your solution of using a different password will just annoy the legitimate user of the system and offer little to no barrier for an attacker. Better to use the users password than and hope you set a proper long one (like 4096 Bits long or so......)

LvB
  • 8,217
  • 1
  • 26
  • 43
  • If I understand this, you mean to disable password based authentication globally in the sshd config, but still set a user password so that it is used when the user tries to run a sudo command? – mgjk Jun 06 '17 at 14:21
  • for a public facing SSH server, YES. – LvB Jun 06 '17 at 14:32