sudopk: sudo auth via ssh-agent - port to Ubuntu?

Neal McBurnett neal at mcburnett.org
Sat Jan 17 15:38:59 UTC 2009


For those that didn't see the initial conversation on either ec2-beta
or ubuntu-server, here is what I wrote:

On Tue, Dec 16, 2008 at 09:20:01PM -0700, Neal McBurnett wrote:
> I like the standard use of sudo in Ubuntu, for logging, extra
> security, etc.  But it can be very risky to type a password into a
> remote machine for sudo, e.g. a remote server or EC2 virtual machine.
> If the remote machine is compromised, the password could be exposed
> and that might open up other machines to compromise.
> 
> Instead I'd like sudo on the remote machine to do a challenge-response
> via the ssh-agent socket to get the local machine's ssh-agent to
> authenticate.
> 
> This was requested a few years ago at:
> 
>  http://www.sudo.ws/pipermail/sudo-users/2006-February/002747.html
> 
> and I started thinking about it again given the EC2 beta.
> 
> I just found that the recent USENIX LISA conference had a paper on an
> implementation of this for OpenBSD 4.2 using the BSD Authentication
> framework, which is like PAM:
> 
>  http://www.usenix.org/event/lisa08/tech/full_papers/burnside/burnside_html/index.html
> 
> An openbsd patch is at http://www.cs.columbia.edu/~mb/code/sudopk
> 
> Anyone up for porting that to Ubuntu, perhaps via PAM?
> 
> I've written the authors to inquire if they know of efforts to do it.

The author of the OpenBSD code, Matthew Burnside (CC'd here) responded
that he thought it would be pretty straightforward, but didn't have
time.

On Sat, Jan 17, 2009 at 12:36:47AM -0800, Jamie Beverly wrote: 
>  
>  It's not a port of anything, I just wrote it. But I believe it is
what you are looking for.  
>  
>  http://pamsshagentauth.sf.net/ 

I'm delighted to see that - thanks!

I think it can improve security on ec2, since typing passwords on a
possibly-compromised machine is a bad idea.  And of course it can also
improve the user experience.

Cheers,

Neal McBurnett                 http://neal.mcburnett.org/




More information about the ubuntu-server mailing list