Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: using ssh authentication with sudo

from [Justin Alcorn] Network Security [Permanent Link]
Subject: Re: using ssh authentication with sudo
Date: Tue, 22 May 2007 20:11:49 -0400 
Actually, you're missing the most important piece of sudo.

People walk away from terminal sessions all the time.  The point of the
authentication and timeout is to assure that the person executing the
sudo is actually the correct, authenticated person.

That's why sudo won't accept cached credentials.  And I wouldn't do
anything to change that behavior.  You might as well just log in with
UID 0 then.

Eric S. Johansson sent the following missive on 5/20/2007 11:17 AM:

there is a number of ways I could be missing something obvious so I
apologize in advance.

My idea is should be possible to grant sudo access with your ssh
credentials. the logic is that once the server has granted access to a
client based on its ssh keys, it should be possible to use the same
authentication to grant sudo privileges.  After all, if a key pair is
good enough to get you into one machine, why isn't it good enough to
grant you the full Monty?

Assuming that it is, how could a local program determine that the
process it is running in has done so via ssh key authentication.  Would
it query the agent directly?  Would it be able to use agent forwarding? 
Or is this a really bad idea that I should just give up on?

---eric



-- 
Justin Bradford Alcorn
justin@jalcorn.net
http://jalcorn.net
PGP Fingerprint A36D D691 C5B0 BE15 5A2A AF49 AA1C 372C
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  store password (what do you think of this patch/idea?), Jeremy C. Reed
Next by Date:  Re: using ssh authentication with sudo, Daniel Mitton
Previous by Thread:  using ssh authentication with sudo, Eric S. Johansson
Next by Thread:  Re: using ssh authentication with sudo, Jeremy C. Reed
Indexes:  [Date] [Thread] [Top] [All Lists]