1 |
On Friday, 15 July 2022 18:15:04 CEST Grant Taylor wrote: |
2 |
> On 7/15/22 1:15 AM, J. Roeleveld wrote: |
3 |
> > Yes. |
4 |
> |
5 |
> Okay. |
6 |
> |
7 |
> That simply means that SSH keys won't be used to authenticate to the |
8 |
> remote system. |
9 |
> |
10 |
> > How would it not prompt for a password. |
11 |
> |
12 |
> There is a PAM module; pam_ssh_agent_auth, which can be used to enable |
13 |
> users to authenticate to sudo using SSH keys. This means that the user |
14 |
> /does/ authenticate to sudo as necessary. It's just that the |
15 |
> authentication happens behind the scenes and they don't need to enter |
16 |
> their password. Thus you can avoid the NOPASSWD: option which means a |
17 |
> better security posture. |
18 |
|
19 |
Hmm... interesting. I will look into this. |
20 |
But, it needs the agent to be running, which will make it tricky for |
21 |
automation. (I have some scripts that need to do things on different systems |
22 |
in a sequence for which this could help) |
23 |
|
24 |
> > I need something that will take the password from the vault (I |
25 |
> > can do this in Python and shell-scripting. Probably also in other |
26 |
> > scripts). Authenticating to the vault can be done on a session basis |
27 |
> > and shared. So locally, I'd only login once. |
28 |
> |
29 |
> Sure. |
30 |
> |
31 |
> > Currently, yes. I never physically see the password as it currently |
32 |
> > goes into the clipboard and gets wiped from there after a short time |
33 |
> > period. Enough time to paste it into the password-prompt. It's |
34 |
> > the copy/pasting that I am looking to automate into a single |
35 |
> > "login-to-remote-host" script. |
36 |
> |
37 |
> I would not consider the copy and paste method to be secure. There are |
38 |
> plenty of utilities to monitor the clipboard et al. and copy the new |
39 |
> contents in extremely short order. As such, users could arrange to |
40 |
> acquire copies of the password passing through the clipboard. |
41 |
|
42 |
I know, which is why I was investigating automating it. The passwords are too |
43 |
long to comfortably copy by hand. |
44 |
|
45 |
> I would strongly suggest exploring options that don't use the clipboard |
46 |
> and instead retrieve the password from the vault and inject it into the |
47 |
> remote system without using the clipboard. |
48 |
> |
49 |
> Or, authenticate to sudo a different way that doesn't involve a |
50 |
> password. This will work for 90+ percent of the use cases. Meaning |
51 |
> that the sensitive password is needed for 10 percent or less of the |
52 |
> time. Thereby reducing the possible sensitive password exposure. }:-) |
53 |
> |
54 |
> > I prefer not to use SSH keys for this as they tend to exist for years |
55 |
> > in my experience. And one unnoticed leak can open up a lot of systems. |
56 |
> |
57 |
> That is a valid concern. |
58 |
> |
59 |
> I'd strongly suggest that you research SSH /certificates/. SSH |
60 |
> /certificates/ support a finite life time /and/ can specify what |
61 |
> command(s) / action(s) they can be used for. |
62 |
> |
63 |
> My $EMPLOYER uses SSH /certificates/ that last about 8 hours. I've |
64 |
> heard of others that use SSH /certificates/ that last for a single digit |
65 |
> number of minutes or even seconds. The idea being that the SSH |
66 |
> /certificate/ only lasts just long enough for it to be used for it's |
67 |
> intended purpose and no longer. |
68 |
|
69 |
I will definitely investigate this. They sound interesting. I'd set the |
70 |
validity to a lot less if this can be automated easily. |
71 |
|
72 |
> The ability to specify the command; e.g. "su -" that is allowed to be |
73 |
> executed means that people can't use them to start any other command. }:-) |
74 |
> |
75 |
> > This is why I use passwords. (passwords are long random strings that |
76 |
> > are changed regularly) |
77 |
> |
78 |
> Fair enough. I only counter with take a few minutes to research SSH |
79 |
> /certificates/ and see if they are of any interest to you. |
80 |
|
81 |
Added to my research-list. |
82 |
|
83 |
-- |
84 |
Joost |