1 |
On 7/15/22 1:15 AM, J. Roeleveld wrote: |
2 |
> Yes. |
3 |
|
4 |
Okay. |
5 |
|
6 |
That simply means that SSH keys won't be used to authenticate to the |
7 |
remote system. |
8 |
|
9 |
> How would it not prompt for a password. |
10 |
|
11 |
There is a PAM module; pam_ssh_agent_auth, which can be used to enable |
12 |
users to authenticate to sudo using SSH keys. This means that the user |
13 |
/does/ authenticate to sudo as necessary. It's just that the |
14 |
authentication happens behind the scenes and they don't need to enter |
15 |
their password. Thus you can avoid the NOPASSWD: option which means a |
16 |
better security posture. |
17 |
|
18 |
> I need something that will take the password from the vault (I |
19 |
> can do this in Python and shell-scripting. Probably also in other |
20 |
> scripts). Authenticating to the vault can be done on a session basis |
21 |
> and shared. So locally, I'd only login once. |
22 |
|
23 |
Sure. |
24 |
|
25 |
> Currently, yes. I never physically see the password as it currently |
26 |
> goes into the clipboard and gets wiped from there after a short time |
27 |
> period. Enough time to paste it into the password-prompt. It's |
28 |
> the copy/pasting that I am looking to automate into a single |
29 |
> "login-to-remote-host" script. |
30 |
|
31 |
I would not consider the copy and paste method to be secure. There are |
32 |
plenty of utilities to monitor the clipboard et al. and copy the new |
33 |
contents in extremely short order. As such, users could arrange to |
34 |
acquire copies of the password passing through the clipboard. |
35 |
|
36 |
I would strongly suggest exploring options that don't use the clipboard |
37 |
and instead retrieve the password from the vault and inject it into the |
38 |
remote system without using the clipboard. |
39 |
|
40 |
Or, authenticate to sudo a different way that doesn't involve a |
41 |
password. This will work for 90+ percent of the use cases. Meaning |
42 |
that the sensitive password is needed for 10 percent or less of the |
43 |
time. Thereby reducing the possible sensitive password exposure. }:-) |
44 |
|
45 |
> I prefer not to use SSH keys for this as they tend to exist for years |
46 |
> in my experience. And one unnoticed leak can open up a lot of systems. |
47 |
|
48 |
That is a valid concern. |
49 |
|
50 |
I'd strongly suggest that you research SSH /certificates/. SSH |
51 |
/certificates/ support a finite life time /and/ can specify what |
52 |
command(s) / action(s) they can be used for. |
53 |
|
54 |
My $EMPLOYER uses SSH /certificates/ that last about 8 hours. I've |
55 |
heard of others that use SSH /certificates/ that last for a single digit |
56 |
number of minutes or even seconds. The idea being that the SSH |
57 |
/certificate/ only lasts just long enough for it to be used for it's |
58 |
intended purpose and no longer. |
59 |
|
60 |
The ability to specify the command; e.g. "su -" that is allowed to be |
61 |
executed means that people can't use them to start any other command. }:-) |
62 |
|
63 |
> This is why I use passwords. (passwords are long random strings that |
64 |
> are changed regularly) |
65 |
|
66 |
Fair enough. I only counter with take a few minutes to research SSH |
67 |
/certificates/ and see if they are of any interest to you. |
68 |
|
69 |
|
70 |
|
71 |
-- |
72 |
Grant. . . . |
73 |
unix || die |