su/sudo using ssh auth

John E Hein jhein at
Sat Nov 3 18:25:31 EST 2001

Dan Astoorian wrote at 16:22 -0500 on Nov  2:
 > On Fri, 02 Nov 2001 16:08:02 EST, John E Hein writes:
 > > 
 > > rm, mount, cpio, etc., etc.
 > > I want these to be authenticated once for the parent process, then
 > >  children who invoke sudo need not enter a password.  I don't want
 > >  carte blanche NOPASSWD in sudoers (which applies to the anyone
 > >  running a sudo that uses that sudoers - usually per machine).
 > >  Nor do I want to have to edit sudoers each time I add a command
 > >  I want to run with sudo to this or some other script.
 > (Removed openssh-unix-dev at from the recipients, as this isn't
 > an OpenSSH question anymore.)
 > I'm not sure you're completely clear about the how ssh-agent works.
 > There isn't any credential which is specific to the program run via
 > ssh-agent; any unrelated process which belongs to the same userid can
 > connect to and use the agent as long as it's running.  The parent
 > process and its children are provided with an environment variable that
 > tells them where to find the agent, but there's nothing to prevent other
 > processes from finding and using the same agent.

I am aware how it works and was only using ssh-agent to describe
 a somewhat analogous existing implementation.

 > Thus, applying the ssh-agent model to sudo would effectively give carte
 > blanche NOPASSWD to the userid running your "sudo-agent" for as long as
 > the agent is running.

Essentially this IS what I want.  I want to start some program with
 the currently fictitious sudo-agent (or whatever it winds up being).
 First sudo-agent prompts me for authentication (just like sudo), then that
 program and any time it or its children invoke sudo, they get elevated
 privs without prompting for the password.  Then when the agent exits
 or any time a sudo is called outside the agent's purview, the normal
 non-NOPASSWD sudo behavior applies.  If this uses a agent/add style like
 ssh-agent/add, then the concept is very similar.  But it needn't do it
 the same way.

I am sure you agree there are similarities to ssh-agent.  But, to be sure,
 what I want is not exactly the same.

Nor does it describe exactly what the original poster (Jochen) is
 looking for.

More information about the sudo-workers mailing list