su/sudo using ssh auth

mouring at mouring at
Fri Nov 2 16:43:18 EST 2001

Can we take this off the OpenSSH devel list.. This has nothing to do with
us, and frankly I don't care since I don't use sudo.  <smile>

- Ben
[removed CC: to OpenSSH group]

On Fri, 2 Nov 2001, John E Hein wrote:

> Bob Proulx wrote at 13:17 -0700 on Nov  2:
>  > > But I do want to have to enter a password, for instance, at the start of
>  > >  a long running build script that needs to occasionally have root
>  > >  privs at a number of strategic points in the script to do some
>  > >  building in a chroot or mount a flash device.
>  >
>  > How long is long running?  You could always increase the time for
>  > remembering that a password was entered to be long enough to cover the
>  > needed time interval.
> Could be 1, could be 12, could be more hours; could be much less
>  if it dies early.
> The timeout you mention is compiled in.
>  > What commands are you running?  You could always specify an interface
>  > of okayed commands in sudoers where no password is ever required.  If
>  > those commands are okay to run then they are okay to run.  Mounting
>  > and unmounting are prime examples.
> rm, mount, cpio, etc., etc.
> I want these to be authenticated once for the parent process, then
>  children who invoke sudo need not enter a password.  I don't want
>  carte blanche NOPASSWD in sudoers (which applies to the anyone
>  running a sudo that uses that sudoers - usually per machine).
>  Nor do I want to have to edit sudoers each time I add a command
>  I want to run with sudo to this or some other script.
> This equates to a setuid program (except you need to get authenticated
>  to run it) where the elevated effective uid is relinquished when it's
>  not needed.
> There are some conceptual parallels to ssh-agent, but it's not quite the
>  same thing (nor, as has been mentioned, should it be).

More information about the sudo-workers mailing list