sudo and ssh

jOOc · November 9, 2007, 9:47am

Hello,

Can you config sudo to use the passphrase in the user ssh-key instead of the one in the passwd?

Some users do not have local passwords on the system and instead of adding the NOPASSWD in sudoers I would like the solution I asked about above.

Thx Jocke

Smiling_Dragon · November 11, 2007, 5:02pm

Short answer: No sorry.

The passphrase would be on the client side anyway (to decrypt their private key) so couldn't be trusted by the sshd end.

I'd suggest sticking with NOPASSWD if you really can't have a local password for the user (I fail to see why this needs to be that way though...)

jOOc · November 12, 2007, 5:56am

Thank you for quick reply.
The reason we dont have passwords in passwd is because the customer have a lot of servers but no directoryservice like LDAP, NIS+. And when we install the servers we add all the users and set up ssh for them. Hopefully they soon will start to use LDAP and our task will be a lot easier.
/Jocke

Smiling_Dragon · November 12, 2007, 3:48pm

It's way-clunky but you could write a wrapper script that runs as a special user (ie setuid) and does a check of the user's ssh credentials before calling sudo.

You can then set up sudoers rules with NOPASSWD for that special user.

pros:

Quick fix that might actually work

cons:

It's kind of ugly
Could be some fun and games getting the checking of ssh passphrases right without actually transmitting them plan-text at any point
If you mess up the setuid script you grant access to everything