[ec2-beta] sudo without a password - ssh-agent? PAM??
Neal McBurnett
neal at mcburnett.org
Wed Dec 17 03:19:36 GMT 2008
The ec2 root login / ubuntu password / sudo dance is really ugly. I
hate being presented with an auto-generated password to manage, and
being logged out right away. But I like the standard use of sudo in
Ubuntu, for logging, extra security, etc.
I'd like a way to not have a password for the ubuntu user, and instead
do a challenge-response on the established ssh key via the ssh-agent
socket during a sudo to authenticate as root. This might involve PAM
somehow.
This was requested a few years ago at:
http://www.sudo.ws/pipermail/sudo-users/2006-February/002747.html
but didn't seem to get a useful response.
Aha - I just found that the recent USENIX LISA conference had a paper
which implements this for OpenBSD 4.2 using the BSD Authentication
framework, which is like PAM:
http://www.usenix.org/event/lisa08/tech/full_papers/burnside/burnside_html/index.html
Anyone up for implementing that for PAM/Ubuntu?
I've written the authors to inquire if they know of efforts to do it.
Neal McBurnett http://neal.mcburnett.org/
More information about the Ec2-beta
mailing list