can sudo use SSH passphrase rather than user sys passwd ?
Dan Rue
drue at therub.org
Tue Feb 10 13:55:33 EST 2004
On Tue, Feb 10, 2004 at 02:04:07PM +0100, atherios at free.fr wrote:
> Hi,
>
> I setup SSHv2 key authent to connect to servers.
> Each guys can run priviledged commands via sudo.
> The trouble is that, as they log via SSH key only, they don't
> have a 'real' system password. But sudo (seems to) requires
> a password to run the priviledged command.
>
> Can I tell sudo to authenticated the user throught he's SSH key ?
> This is, can sudo validate the ssh passphrase rather than the system passwd.
You have a good opportunity here. Since all of your users are using ssh
keys to authenticate to the server, there is no point in using said keys
to authenticate to sudo, since they have to have the keys to be logged
into the server. But, if you had them set a system password, that would
be a second defense - especially if you did not allow logins via a
password. So, only allow ssh key authentication to your sessions.
Then, the users will have to supply a password to use sudo -- and you
have two good lines of defense.
Otherwise, you may as well just disable password auth with sudo - since
you know that your users have good keys (and thus there's no point in
authenticating against them, it's just redundant).
hth,
dan
More information about the sudo-users
mailing list