su/sudo using ssh auth

Dan Astoorian djast at
Fri Nov 2 16:22:32 EST 2001

On Fri, 02 Nov 2001 16:08:02 EST, John E Hein writes:
> rm, mount, cpio, etc., etc.
> I want these to be authenticated once for the parent process, then
>  children who invoke sudo need not enter a password.  I don't want
>  carte blanche NOPASSWD in sudoers (which applies to the anyone
>  running a sudo that uses that sudoers - usually per machine).
>  Nor do I want to have to edit sudoers each time I add a command
>  I want to run with sudo to this or some other script.

(Removed openssh-unix-dev at from the recipients, as this isn't
an OpenSSH question anymore.)

I'm not sure you're completely clear about the how ssh-agent works.

There isn't any credential which is specific to the program run via
ssh-agent; any unrelated process which belongs to the same userid can
connect to and use the agent as long as it's running.  The parent
process and its children are provided with an environment variable that
tells them where to find the agent, but there's nothing to prevent other
processes from finding and using the same agent.

Thus, applying the ssh-agent model to sudo would effectively give carte
blanche NOPASSWD to the userid running your "sudo-agent" for as long as
the agent is running.

Dan Astoorian               People shouldn't think that it's better to have
Sysadmin, CSLab             loved and lost than never loved at all.  It's
djast at        not, it's better to have loved and won.  All  the other options really suck.    --Dan Redican

More information about the sudo-workers mailing list