[sudo-users] sudo authentication using ssh-agent

Huibert.Kivits at mail.ing.nl Huibert.Kivits at mail.ing.nl
Fri Feb 17 05:58:03 EST 2006

Hi Gray,

If password authentication is an issue, you should consider allowing the execution of sudos without a password. The added value of passwords for sudo is rather doubtful.

For security reasons, I'd rather recommend to take the following steps:
1. Have all sudo authorization managed from within LDAP and prohibit the use of local /etc/sudoers files.
   - Local /etc/sudoers files are harder to maintain, especially in large environments.
   - Local /etc/sudoers files are harder to audit for back doors.
   - If a seperation of responsibilities is required (between security management and system management), then it is much
     easier to maintain this seperation if sudo authorizations are managed from within LDAP.
2. Have all sudo logging collected at a central log host, via syslog.

At our company, which is a large financial institution, affected by SOX, we do not require users to type in a password if they want to execute a sudo. But we have taken the steps outlined above, as well as a few others. And frankly, we feel quite SOX-compliant with regard to sudo, even without this requirement for a password.

Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,

Huibert Kivits
Locatiecode NA 00.92
T (020) 563 73 33, F (020) 563 70 02
E Huibert.Kivits at mail.ing.nl

"...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions."
Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4

-----Oorspronkelijk bericht-----
Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Gray Watson
Verzonden: vrijdag 17 februari 2006 1:55
Aan: sudo-users at sudo.ws
Onderwerp: [sudo-users] sudo authentication using ssh-agent

In the following message, Rogan Dawes makes a request that I'd like to second.


Is anyone considering adding support into sudo for ssh-agent authentication?  My problem is that I have sudo on work, home, and other systems.  I use ssh-agent to control my logins but I always wince when I type in my home password on my work system -- possibly exposing a password in a less secure environment.

If sudo authentication was done with a challenge-response on an established ssh key via the ssh-agent socket, in my view I would have improved security on the systems that I manage.  /etc/sudoers could not only list the users with permissions but the public keys of the users.  If the SSH_AUTH_SOCK was available it could interrogate the remote ssh-agent otherwise it would prompt for local password.

Gray Watson ____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.

More information about the sudo-users mailing list