su/sudo using ssh auth

Lewis Muhlenkamp lewis.muhlenkamp at motorola.com
Sun Nov 4 03:37:21 EST 2001 

In a slightly more generic sense, I think what is being asked is for
ssh, su, sudo, etc. to support Pluggable Authentication Modules (PAM).
Does that make sense?

I could see ssh-agent being made into a PAM module.  I could see the
above three use the ssh-agent PAM module, plus LDAP, NIS, etc. PAM
modules for authentication.  I think that would be a very good thing to
have.

On the flip side though, there would be a need to configure these tools
appropriately.  You would still probably want timeouts on commands run
via sudo.  That may now reside in the sudoers file, or in the pam.conf
file.

I think sudo already supports PAM.  sudo authentication is done in the
same fashion as a telnet.  Thus, I do not think anything needs to be
changed on sudo's side.  I think turning ssh-agent into a PAM module,
or at least providing the ssh server that capability, is what is really
being asked here.

Just my $0.02.


Jochen Topf wrote:
> 
> Ok, first to make one point clear that maybe didn't come around in my
> first posting: I want *one* key-agent to work for 'ssh', 'su', and 'sudo'
> and similar programs. Thats the whole point. Having one authentication
> method would make things easier. Of course this is more complicated to
> do then just put something into 'su' or 'sudo', but thats why I send this
> to the ssh developers list, too.
> 
> On Fri, Nov 02, 2001 at 10:55:43AM -0700, Todd C. Miller wrote:
> > I have resisted doing this because I really think it is pointless.
> >
> > The only reason sudo authenticates at all is to guard against a
> > lack of physical security.  Using the ssh agent would not protect
> > against thins since the passphrase is only entered once.  If you
> > don't want to enter a password in sudo, just turn off authentication
> > and rely on whatever method was used to login.
> 
> Of course adding ssh-agent support to 'su' would be more helpful then for
> 'sudo', because 'sudo' already does this password caching thing. And I
> myself would be happy to have it for 'su' only, because I don't use 'sudo'
> all that much. But I think it still would be useful for 'sudo'. Two reasons:
> 
> 1) I don't have a password any more on several accounts. I just log in
>    through ssh with a key. The machines are far away anyways so I never
>    log in at the console. The same thing applies to many accounts used
>    for use by administrative scripts only.
> 
> 2) If I want to automate a script that runs through several machines,
>    using several accounts on each machine for different parts of the job
>    this would be very handy.
> 
> The whole idea is more of a convenience thing then something I absolutely
> need. Of course I can always use other methods. But this would allow me
> to get rid of the whole UNIX password stuff and only use ssh keys for
> authentication.

-- 
----------------------------------------------------------------------------
| Lewis Muhlenkamp            | Network Systems Administrator              |
| Motorola, Inc.              | phone: 847-538-4670                        |
| 1301 E. Algonquin Rd.       | fax: 847-538-3630                          |
| Mailstop: IL02/2624         | email: lewis.muhlenkamp at motorola.com       |
| Schaumburg, IL 60196        |                                            |
----------------------------------------------------------------------------

More information about the openssh-unix-dev mailing list