su/sudo using ssh auth
djast at cs.toronto.edu
Fri Nov 2 16:22:32 EST 2001
On Fri, 02 Nov 2001 16:08:02 EST, John E Hein writes:
> rm, mount, cpio, etc., etc.
> I want these to be authenticated once for the parent process, then
> children who invoke sudo need not enter a password. I don't want
> carte blanche NOPASSWD in sudoers (which applies to the anyone
> running a sudo that uses that sudoers - usually per machine).
> Nor do I want to have to edit sudoers each time I add a command
> I want to run with sudo to this or some other script.
(Removed openssh-unix-dev at mindrot.org from the recipients, as this isn't
an OpenSSH question anymore.)
I'm not sure you're completely clear about the how ssh-agent works.
There isn't any credential which is specific to the program run via
ssh-agent; any unrelated process which belongs to the same userid can
connect to and use the agent as long as it's running. The parent
process and its children are provided with an environment variable that
tells them where to find the agent, but there's nothing to prevent other
processes from finding and using the same agent.
Thus, applying the ssh-agent model to sudo would effectively give carte
blanche NOPASSWD to the userid running your "sudo-agent" for as long as
the agent is running.
Dan Astoorian People shouldn't think that it's better to have
Sysadmin, CSLab loved and lost than never loved at all. It's
djast at cs.toronto.edu not, it's better to have loved and won. All
www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican
More information about the sudo-workers