[Gllug] sudo authentication against ssh key
Bruce Richardson
itsbruce at workshy.org
Mon Jul 20 13:07:45 UTC 2009
On Mon, Jul 20, 2009 at 01:19:38PM +0100, Minty wrote:
> I want "if you've authenticated enough for ssh then sudo doesn't need
> to authenticate you further".
>
> Or am I approaching this via the wrong angle?
I think PAM is the core to any such solution. The key is that if UsePAM
is enabled, anybody who logs in with a key will bypass PAM
authentication, while anybody who doesn't will go through PAM
authentication. Here's how I would exploit this:
1. Make sure all ssh users are in a particular group (you might want to
force membership of this with the sshd AllowGroups parameter in
sshd_config).
2. Configure the PAM auth service for SSH to add people to a specific
group (e.g. a group called nokey).
3. Configure sudo with a userlist that contains people who should be
allowed to skip authentication by default and exclude the nokey group
User_Alias TRUSTED = !%nokey, %sshusers
4. Have sudo force all members of that list to use password auth
Defaults:TRUSTED !authenticate
So people who use key authentication will not be placed in the nokey
group and will be allowed to skip a password by default. You can still
override this on a per-user/group basis with the approprite sudo config.
--
Bruce
Those who cast the votes decide nothing. Those who count the
votes decide everything. -- Joseph Stalin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20090720/eceed624/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list