2

I am not asking how to do anything here, rather trying to understand best practices and the "right" way to handle server security. To prevent brute force password attacks, I have secured my server in a number of ways, one of which being password protected SSH Keys for login on any user (right now it is a single developer box). Obviously any time a user needs to login he will need access to both the key and the password for that key.

However, I am trying to understand how I should handle a system password for that (or any) particular user, specifically when dealing with sudo. A few questions:

  • is there value in giving each user a password at all (so he/she can use sudo)?
  • if so, is it overkill to use an insanely secure password for such (i.e. 384 bits+)
  • assuming the answer above is no:
    • How could any user remember this password every time they need to run a sudo command (yes lastpass, dashlane, 1pass, etc are options but having to open/authenticate/find and copy that really long password seems like a huge pain the ass).
    • What is secure enough for these passwords and does it matter if dictionary attacks would find the sudo password in 3 seconds anyway?

Thank you ahead of time!

JM4
  • 1,104
  • 3
  • 18
  • 29

2 Answers2

3

I go the opposite way and use passwordless sudo.

%sudo ALL=(ALL:ALL) NOPASSWD:ALL

As you point out, make sure your user ssh keys have a passphrase. Also, make sure you disable password authentication to SSH.

If you've done the above, I find this configuration is very functional.

dmourati
  • 24,720
  • 2
  • 40
  • 69
  • I was kind of thinking the same thing. I suppose the *only* benefit of having sudo passwords after SSH key authentication would be to add an extra layer of security (albeit likely unnecessary). It seems if somebody already has access to the server by getting past your password protected ssh key then you have bigger problems and would likely be susceptible anyway. Is that your thought? – JM4 Dec 13 '13 at 23:18
  • 1
    I just don't like passwords. Forgot to mention, you can also look at Google Authenticator or Duo for two-factor auth: https://www.duosecurity.com/docs/duounix – dmourati Dec 13 '13 at 23:55
2

Having a password on sudo isn't just about authentication, it provides an interrupt to authorize requests too.

If you copy and paste in a script that contains sudo rm -rf / passwordless sudo wont help you.

There is also the possibility that a potential user becomes a target for privilege escalation by another user, if the a malicious user can somehow become the trusted user who has passwordless sudo access; say the trusted user has an innocuous cron job that executes a script the malicious user has write privileges to and he changes the script to do something else.

These may not be concerns to you, but note that the password prompt prevents certain attack vectors from becoming a reality.

Matthew Ife
  • 22,927
  • 2
  • 54
  • 71
  • @Mlfe - then how would you handle the password per my question. An incredibly difficult password to remember? One the user sets (and likely is easy? One that is cumbersome to enter each time (which could slow down development drastically if sudo actions are needed often)? – JM4 Dec 14 '13 at 00:37
  • I would aim for something at least 8 characters long and containing 2 character classes. (numbers and letters or upper/lower case). But not something drastically complicated. – Matthew Ife Dec 14 '13 at 00:42
  • 1
    @MIfe I think the question is more like he has a extremely strong password (say 30 characters), but this really strong password makes sudo difficult to use. As for protecting a sysadmin from himself, I am of the opinion that is silly. That is a case for convincing people to use configuration management tools, and making sure they have good backup/restore systems in place. A password prompt will not stop a determined ignorant person from doing a large amount of damage, when that person knows the password. – Zoredache Dec 14 '13 at 00:46