[ec2-beta] [Fwd: Re: sudopk: sudo auth via ssh-agent - port to Ubuntu]

Eric Hammond ehammond at thinksome.com
Sun Jan 18 01:01:28 GMT 2009 

For simple, manual ssh in to an EC2 instance pam_ssh_agent_auth sounds
like a great way to improve security a bit over passwordless sudo.

If it becomes easy to install with Ubuntu I'm likely to start using it
personally.

However, we need to keep the following use case in mind:

  Cron job (inside or outside of EC2):
  - start an EC2 instance
  - ssh to the instance to install some software
  - rsync some files to the instance as root-owned

With the ability to ssh directly to root, this is easy.

With the ability to ssh to a normal user who can sudo without a
password, the ssh part is mostly easy, and most people will require help
figuring out the rsync part.

With the ability to ssh in to a normal user who can sudo only with agent
auth, this may become a barrier to adoption for some.


Here's a recipe which should work for automating the ssh part with ssh
agent auth.

!#/bin/bash
host=$1
eval $(ssh-agent)
ssh-add EC2_KEYPAIR.pem
ssh -A ubuntu@$host <<EOM
  sudo apt-get update && sudo apt-get upgrade -y
EOM
kill $SSH_AGENT_PID

That's a lot of framework for what starts out as a simple "ssh root@"
command on other distros.

I also have a recipe for automated rsync with sudo, but it involves
copying up a small --rsync-path wrapper before running rsync.


Summary: I like the idea and will probably use it myself in various
places if it becomes available, but wonder if it will reduce adoption
and give the Ubuntu images a reputation of being difficult to use.

--
Eric Hammond
ehammond at thinksome.com



Nick Barcet wrote:
> Forwarding this email we just received on the Ubuntu Server list,
> wondering if this could not be used by the ec2 images to avoid the
> Ubuntu user sudo password problems that were previously noted.
> 
> WDYT?
> 
> Nick
> 
> -------- Original Message --------
> Subject: Re: sudopk: sudo auth via ssh-agent - port to Ubuntu
> Date: Sat, 17 Jan 2009 00:36:47 -0800 (PST)
> From: Jamie Beverly <jamie.beverly at yahoo.com>
> To: ubuntu-server at lists.ubuntu.com
> 
> 
>  It's not a port of anything, I just wrote it. But I believe it is what
> you are looking for.
> 
> 
>  http://pamsshagentauth.sf.net/
> 
> 
> 
> 
> 
>

More information about the Ec2-beta mailing list