[sudo-users] Cache password at login?
jamie.beverly at yahoo.com
Wed Dec 9 16:49:55 EST 2009
Remind me never to reply to a thread from my iphone... it apparently does not know how to correctly preserve quoting.
----- Original Message ----
> From: Edward Capriolo <edlinuxguru at gmail.com>
> To: Jamie Beverly <jamie.beverly at yahoo.com>
> Cc: Eric S. Johansson <esj at harvee.org>; Pepijn Schmitz <pepijn.schmitz at gmail.com>; "sudo-users at sudo.ws" <sudo-users at sudo.ws>
> Sent: Wed, December 9, 2009 9:22:33 AM
> Subject: Re: [sudo-users] Cache password at login?
> On Wed, Dec 9, 2009 at 9:30 AM, Jamie Beverly wrote:
> > On Dec 8, 2009, at 3:29 PM, "Eric S. Johansson" wrote:
> > Pepijn Schmitz wrote:
> > Hi everyone,
> > I have a question that I haven't been able to find the answer to on the
> > Internet or in the sudo manual: is it possible to cache the password when I
> > log in?
> > I frequently log on to my Ubuntu server to perform some administrative
> > tasks. Every time I have to give my password to log in, and then immediately
> > give my password again to sudo. It would be nice if the login program, which
> > runs as root, could set my sudo timestamp somehow so that if I execute sudo
> > immediately after logging in it doesn't have to ask me for my password. Is
> > there a way to do this with login / sudo / some other tool?
> > setup the root account to authenticate via ssh keys. login as root and bingo.
> > otoh, I'v always wondered why one can't use ssh keys for authentication for
> > sudo. one login method for all access.
Is a module I authored that pam module I authored, which I use for sudo (among other things). It allows a forwarded ssh-agent to be used as authentication for local services.
> I spend some time setting up a public key in ldap and sudo LDAP solution.
> The two systems are somewhat at odd, if you are logging in with a
> key_file you probably do not want passwords for sudo, and vice-versa.
> I always though it would be nice to enforce two-factor authentication.
> For example login request public key and server side password. Or in a
> super secure environment three form,
> public key+password+one time password.
Entirely possible with the module above, simply use "required" instead of "sufficient" in the PAM stack.
More information about the sudo-users