sudopk: sudo auth via ssh-agent - port to Ubuntu?
Neal McBurnett
neal at bcn.boulder.co.us
Wed Dec 17 05:16:58 UTC 2008
I like the standard use of sudo in Ubuntu, for logging, extra
security, etc. But it can be risky to type a password into a remote
machine for sudo, e.g. a remote server or EC2 virtual machine. If the
remote machine is compromised, the password could be exposed and that
might open up other machines to compromise.
Instead I'd like to get ssh-agent involved: sudo on the remote machine
can do a challenge-response via its ssh-agent socket to get the local
machine's ssh-agent to authenticate.
This was requested a few years ago at:
http://www.sudo.ws/pipermail/sudo-users/2006-February/002747.html
and I started thinking about it again given the EC2 beta.
I just found that the recent USENIX LISA conference had a paper on an
implementation of this for OpenBSD 4.2 using the BSD Authentication
framework, which is like PAM:
http://www.usenix.org/event/lisa08/tech/full_papers/burnside/burnside_html/index.html
An openbsd patch is at http://www.cs.columbia.edu/~mb/code/sudopk
Anyone up for porting that to Ubuntu, perhaps via PAM?
I've written one of the authors, Matthew Burnside, and he is happy to
help anyone who wants to do it, but won't have time to do so soon
himself.
Neal McBurnett http://neal.mcburnett.org/
More information about the ubuntu-server
mailing list