su/sudo using ssh auth
mouring at etoh.eviladmin.org
mouring at etoh.eviladmin.org
Fri Nov 2 16:43:18 EST 2001
Can we take this off the OpenSSH devel list.. This has nothing to do with
us, and frankly I don't care since I don't use sudo. <smile>
- Ben
[removed CC: to OpenSSH group]
On Fri, 2 Nov 2001, John E Hein wrote:
> Bob Proulx wrote at 13:17 -0700 on Nov 2:
> > > But I do want to have to enter a password, for instance, at the start of
> > > a long running build script that needs to occasionally have root
> > > privs at a number of strategic points in the script to do some
> > > building in a chroot or mount a flash device.
> >
> > How long is long running? You could always increase the time for
> > remembering that a password was entered to be long enough to cover the
> > needed time interval.
>
> Could be 1, could be 12, could be more hours; could be much less
> if it dies early.
>
> The timeout you mention is compiled in.
>
>
> > What commands are you running? You could always specify an interface
> > of okayed commands in sudoers where no password is ever required. If
> > those commands are okay to run then they are okay to run. Mounting
> > and unmounting are prime examples.
>
> rm, mount, cpio, etc., etc.
> I want these to be authenticated once for the parent process, then
> children who invoke sudo need not enter a password. I don't want
> carte blanche NOPASSWD in sudoers (which applies to the anyone
> running a sudo that uses that sudoers - usually per machine).
> Nor do I want to have to edit sudoers each time I add a command
> I want to run with sudo to this or some other script.
>
> This equates to a setuid program (except you need to get authenticated
> to run it) where the elevated effective uid is relinquished when it's
> not needed.
>
> There are some conceptual parallels to ssh-agent, but it's not quite the
> same thing (nor, as has been mentioned, should it be).
>
More information about the sudo-workers
mailing list