| 1 |
On Friday, 15 July 2022 18:15:04 CEST Grant Taylor wrote: |
| 2 |
> On 7/15/22 1:15 AM, J. Roeleveld wrote: |
| 3 |
> > Yes. |
| 4 |
> |
| 5 |
> Okay. |
| 6 |
> |
| 7 |
> That simply means that SSH keys won't be used to authenticate to the |
| 8 |
> remote system. |
| 9 |
> |
| 10 |
> > How would it not prompt for a password. |
| 11 |
> |
| 12 |
> There is a PAM module; pam_ssh_agent_auth, which can be used to enable |
| 13 |
> users to authenticate to sudo using SSH keys. This means that the user |
| 14 |
> /does/ authenticate to sudo as necessary. It's just that the |
| 15 |
> authentication happens behind the scenes and they don't need to enter |
| 16 |
> their password. Thus you can avoid the NOPASSWD: option which means a |
| 17 |
> better security posture. |
| 18 |
|
| 19 |
Hmm... interesting. I will look into this. |
| 20 |
But, it needs the agent to be running, which will make it tricky for |
| 21 |
automation. (I have some scripts that need to do things on different systems |
| 22 |
in a sequence for which this could help) |
| 23 |
|
| 24 |
> > I need something that will take the password from the vault (I |
| 25 |
> > can do this in Python and shell-scripting. Probably also in other |
| 26 |
> > scripts). Authenticating to the vault can be done on a session basis |
| 27 |
> > and shared. So locally, I'd only login once. |
| 28 |
> |
| 29 |
> Sure. |
| 30 |
> |
| 31 |
> > Currently, yes. I never physically see the password as it currently |
| 32 |
> > goes into the clipboard and gets wiped from there after a short time |
| 33 |
> > period. Enough time to paste it into the password-prompt. It's |
| 34 |
> > the copy/pasting that I am looking to automate into a single |
| 35 |
> > "login-to-remote-host" script. |
| 36 |
> |
| 37 |
> I would not consider the copy and paste method to be secure. There are |
| 38 |
> plenty of utilities to monitor the clipboard et al. and copy the new |
| 39 |
> contents in extremely short order. As such, users could arrange to |
| 40 |
> acquire copies of the password passing through the clipboard. |
| 41 |
|
| 42 |
I know, which is why I was investigating automating it. The passwords are too |
| 43 |
long to comfortably copy by hand. |
| 44 |
|
| 45 |
> I would strongly suggest exploring options that don't use the clipboard |
| 46 |
> and instead retrieve the password from the vault and inject it into the |
| 47 |
> remote system without using the clipboard. |
| 48 |
> |
| 49 |
> Or, authenticate to sudo a different way that doesn't involve a |
| 50 |
> password. This will work for 90+ percent of the use cases. Meaning |
| 51 |
> that the sensitive password is needed for 10 percent or less of the |
| 52 |
> time. Thereby reducing the possible sensitive password exposure. }:-) |
| 53 |
> |
| 54 |
> > I prefer not to use SSH keys for this as they tend to exist for years |
| 55 |
> > in my experience. And one unnoticed leak can open up a lot of systems. |
| 56 |
> |
| 57 |
> That is a valid concern. |
| 58 |
> |
| 59 |
> I'd strongly suggest that you research SSH /certificates/. SSH |
| 60 |
> /certificates/ support a finite life time /and/ can specify what |
| 61 |
> command(s) / action(s) they can be used for. |
| 62 |
> |
| 63 |
> My $EMPLOYER uses SSH /certificates/ that last about 8 hours. I've |
| 64 |
> heard of others that use SSH /certificates/ that last for a single digit |
| 65 |
> number of minutes or even seconds. The idea being that the SSH |
| 66 |
> /certificate/ only lasts just long enough for it to be used for it's |
| 67 |
> intended purpose and no longer. |
| 68 |
|
| 69 |
I will definitely investigate this. They sound interesting. I'd set the |
| 70 |
validity to a lot less if this can be automated easily. |
| 71 |
|
| 72 |
> The ability to specify the command; e.g. "su -" that is allowed to be |
| 73 |
> executed means that people can't use them to start any other command. }:-) |
| 74 |
> |
| 75 |
> > This is why I use passwords. (passwords are long random strings that |
| 76 |
> > are changed regularly) |
| 77 |
> |
| 78 |
> Fair enough. I only counter with take a few minutes to research SSH |
| 79 |
> /certificates/ and see if they are of any interest to you. |
| 80 |
|
| 81 |
Added to my research-list. |
| 82 |
|
| 83 |
-- |
| 84 |
Joost |
Archives