[ec2-beta] "ubuntu" passwordless sudo

[Eric Hammond]

Jamie:

I had proposed the same (crazy) strategy of letting "ubuntu" use sudo
without a password back when we were discussing the approach for the
first official beta AMI.  I also described it again 11 hours ago in a
response to one of Mark's post to this list, but apparently I didn't hit
"reply all" so Mark was the only one who saw it :)

What I like about this approach is that it is a compromise between the
security evils of connecting as root all the time and the usability
evils of having to jump through hoops to set or remember random
passwords for lots of instances.

We might even consider disabling all root ssh logins on the images.
Users would always ssh in as "ubuntu" and then use sudo to perform
privileged operations, even running an initial tasksel if they desire.

One use case which I haven't talked about on the public list is that we
need to continue supporting the automatic configuration of an instance
by external scripts which ssh in.  Folks who take this approach
currently write their code to ssh in as root to perform various software
installation and configuration.  (Non-interactive first ssh to root was
intended to be supported on the beta AMI but seems to be not working.)

Over the last number of years I have written a fair amount of code which
connects through ssh to a normal account and uses passwordless sudo to
set up an Ubuntu system.  It's not always easy (especially with rsync)
but it's always possible.

Requiring this approach would cause people who are using automated
external configuration to have to modify some code which might be a
barrier to switching, but it does feel clean.

This is actually the approach I had originally considered when I started
building Ubuntu AMIs for EC2, but I didn't feel like I had the clout to
convince EC2 people to do things my way.  Perhaps Canonical does :)

--
Eric Hammond
ehammond at thinksome.com



Jamie Strandboge wrote:
> With these things in mind, I'll put out there a (perhaps crazy) idea and
> suggest setting up the user totally differently:
> 
> a) setup a long random password for the ubuntu user, or perhaps simply
> lock the account (passwd -l ubuntu)
> b) setup up /etc/sudoers to not prompt for a password at all
> ('Defaults:ubuntu !authenticate' and 'ubuntu ALL=(ALL) ALL')
> c) move /root/.ssh/authorized_keys aside to disable ssh key root logins
> after the first login
> 
> In this scenario, the 'ubuntu' account should be safe (ie, you can't
> 'su' into it from another account or login via ssh with a password), and
> this gets the spirit of the Ubuntu non-root user back: specifically
> normal access is non-root and there is a log audit trail for privileged
> operations.
> 
> Jamie