23
6
Is it possible to make sudo command to support SSH private keys, so that when the user logins using a private key then he/she could sudo without typing a password.
This would allow storing the UNIX sysadmin passwords in an encrypted cold storage and never need to access them, assuming the users use secure private SSH keys always to login on the server.
Mikko Ohtamaa
Posted 2012-10-24T20:54:20.340
Reputation: 1 790
10
The option to do so has existed since (at least) April 2014.
You will need to install a package called pam_ssh_agent_auth (available for Centos 7 out of the box, YMMV), then configure /etc/pam.d/sudo to accept it as an authorization method. Finally, you may need to add SSH_AUTH_SOCK to the list of environment variables that persist during sudo.
Liam Dawson
Posted 2012-10-24T20:54:20.340
Reputation: 362
1Lovely, thank you Liam. Too bad I have not been into sysadmin for many years! – Mikko Ohtamaa – 2018-12-27T14:16:02.297
1
This is not possible without some serious code changes to sudo and sshd. Sudo doesn't know about login methods, and ssh doesn't publish to other programs anything that would indicate whether public key, password, or some other mechanism was used for login.
As someone else said, you can use the NOPASSWD option in sudoers - this would apply to specified users always, though, not only when they use ssh with private keys.
If you really want, there may be tricks you can do with a suid program that checks the sshd log and locks/edits the sudoers file to let that user do a no-password sudo, and a periodic task to revoke this permission.
All that said, I think this is a bad idea. Requiring a password for privileged commands has a couple of nice benefits that private key SSH doesn't. Notably, it lets you have timeouts for the auth (password must be re-entered, not true for ssh sessions), it lets you have password minimums and rotation (unlike ssh keys, which have a passphrase outside the server's control).
Dagon
Posted 2012-10-24T20:54:20.340
Reputation: 51
Changing the answer to the correct one containing new informatino. – Mikko Ohtamaa – 2018-12-27T14:15:39.643
11"It can't be done" is not an answer, especially when it can be done. – Isaac Rabinovitch – 2012-10-26T22:58:59.047
1
A couple of answers Point to sudo without a seperate user Password. You should be Aware that this will decrease your security.
For a user that already authenticated strongly with a certificate this might not be an issue because he is in posession of the certificate that theoretically could make him root.
However if you think about vulnerabilites that will provide an attacker with a limited user shell and this user has NOPASSWD set in the sudoers file the attacker is root without having any credentials to the System at all.
If sudo requires a password from the user the attacker needs time and luck to escalate his privileges to root.
Sebastian Brabetz
Posted 2012-10-24T20:54:20.340
Reputation: 131
http://askubuntu.com/a/135838 If you put those users into a group, you sure can! – Rob – 2012-10-24T21:07:45.677
try
sudo visudoand change your password toNOPASSWD: ALLsee if that works – pneumatics – 2012-10-24T21:08:15.1903@AlanTuring That would also work for users in that group who identified via a password. – Xyon – 2012-10-24T21:27:26.960
@AlanTuring That would effectively decrease the security of the server - I want only certain users, not all, sudo – Mikko Ohtamaa – 2012-10-24T22:14:13.613
It's possible to give priviliges to specific users. See my answer. – Isaac Rabinovitch – 2012-10-26T08:21:43.410