[sudo-users] LDAP Password Security
LE BOUTER Leo
leo.lebouter-ext at aphp.fr
Tue Apr 7 09:09:25 MDT 2020
TOTP for sudo auth sounds good, as long as the TOTP private key isnt on each and every server.
Thanks, I'll study the various PAM modules more in depth.
Leo Le Bouter
Ingenieur Securite Infrastructure
Entrepot de Donnees de Sante (WIND)
________________________________________
From: Todd C. Miller [Todd.Miller at sudo.ws]
Sent: Tuesday, April 07, 2020 4:50 PM
To: LE BOUTER Leo
Cc: Michael Ströder; sudo-users at sudo.ws
Subject: Re: [sudo-users] LDAP Password Security
On Tue, 07 Apr 2020 14:25:34 -0000, LE BOUTER Leo wrote:
> I was comparing sudo to how SSO would work on the web.
> SSO on the web uses an Identity Server that only gives a service
> specific temporary token, not the user's password. Here, users
> have to give their password to each server that has sudo installed.
On most systems, sudo uses PAM for authentication. You can configure
it to use a different authentication method by editing the sudo PAM
configuration. Usually this is stored in /etc/pam.d/sudo.
There are a variety of PAM modules that support different SSO
schemes. For example, pam_totp can be used with time-based one-time
password systems.
Sudo 1.9.0 will support an additional approval plugin which could
be used to implement separate authentication or approval schemes,
but I think you can achieve what you want with just the PAM
configuration.
- todd
More information about the sudo-users
mailing list