su/sudo using ssh auth

Jochen Topf jochen at remote.org
Sat Nov 3 18:41:07 EST 2001


Ok, first to make one point clear that maybe didn't come around in my
first posting: I want *one* key-agent to work for 'ssh', 'su', and 'sudo'
and similar programs. Thats the whole point. Having one authentication
method would make things easier. Of course this is more complicated to
do then just put something into 'su' or 'sudo', but thats why I send this
to the ssh developers list, too.

On Fri, Nov 02, 2001 at 10:55:43AM -0700, Todd C. Miller wrote:
> I have resisted doing this because I really think it is pointless.
> 
> The only reason sudo authenticates at all is to guard against a
> lack of physical security.  Using the ssh agent would not protect
> against thins since the passphrase is only entered once.  If you
> don't want to enter a password in sudo, just turn off authentication
> and rely on whatever method was used to login.

Of course adding ssh-agent support to 'su' would be more helpful then for
'sudo', because 'sudo' already does this password caching thing. And I
myself would be happy to have it for 'su' only, because I don't use 'sudo'
all that much. But I think it still would be useful for 'sudo'. Two reasons:

1) I don't have a password any more on several accounts. I just log in
   through ssh with a key. The machines are far away anyways so I never
   log in at the console. The same thing applies to many accounts used
   for use by administrative scripts only.

2) If I want to automate a script that runs through several machines,
   using several accounts on each machine for different parts of the job
   this would be very handy.

The whole idea is more of a convenience thing then something I absolutely
need. Of course I can always use other methods. But this would allow me
to get rid of the whole UNIX password stuff and only use ssh keys for
authentication.

Jochen
-- 
Jochen Topf - jochen at remote.org - http://www.remote.org/jochen/




More information about the openssh-unix-dev mailing list