[sudo-users] How does sudo improve security.

[Rogan Dawes]

mlh at zip.com.au wrote:

>The cracker's job (please, not hacker; that's something else) doesn't really
>get more access because he would still need to know the employee's password.
>Of course, it lowers the bar a little, because he only has to guess/discover
>only one of a number of user's passwords.  So practice other good security;
>like use ssh.  If you want to make it less brittle you can use other
>authentication mechanisms like securid but that may be overkill for you.
>
>Matt
>  
>
Your comment raises an interesting issue. If one uses SSH for accessing 
the system, using authorized keys, it may well happen that the password 
on the system is unused for a long period of time. It also negates the 
benefit of using strong key-based authentication in a way, if you now 
ALSO have to remember a password.

Has anyone thought about extending sudo to authenticate the user by 
using SSH's authorized_keys mechanism?

i.e. root maintains a list of users and their corresponding public keys. 
If the user wishes to perform a sudo operation, they simply need to 
prove that they have access to the corresponding private key. This could 
be via typing the passphrase for a local private key, or possibly by 
means of a query to an ssh-agent instance, if one is defined.

The list would have to be root-maintained, otherwise an attacker could 
simply add their own public key to the user's authorized_keys file . . . .

Possible down-side is that the user gets no notification that a query is 
being made to the ssh-agent. This means that malicious software/trojan, 
etc could check to see if an agent is configured, then try to sudo 
something, with no interaction required from the user.

There are probably ways in which this could be addressed, however.

Comments?

Rogan