[sudo-users] LDAP Password Security
Michael Ströder
michael at stroeder.com
Tue Apr 7 03:02:04 MDT 2020
On 4/7/20 1:10 AM, LE BOUTER Leo wrote:
> I am looking to use LDAP with sudo but I am concerned about the idea
> of every server having access to the user's LDAP password at
> authentication time.
You have several options:
1. Turn off password authentication for sudo. This might be a viable
solution if you have really fine-grained login authorization and the
sudoers rule gives root access anyway.
2. Use pam_ssh or pam_ussh which needs key agent forwarding which is
also a risk.
3. Use Kerberos 5 (via GSSAPI) which either needs forwardable tickets or
S4U. Note that forwardable tickets are actually ticket granting tickets
which is as worse as sending the clear-text password. S4U is better but
has to be supported by your KDC and all your systems. Good luck.
4. Add one-time password authc as 2nd authc factor. Does not play well
with automation tools though.
Choose your poison. More usage considerations are needed if you're using
bastion/jump hosts, ansible etc.
(Personally I'd recommend to implement fine-grained login authz to be
able to go for option 1.)
Ciao, Michael.
More information about the sudo-users
mailing list