| 1 |
On 7/15/22 1:15 AM, J. Roeleveld wrote: |
| 2 |
> Yes. |
| 3 |
|
| 4 |
Okay. |
| 5 |
|
| 6 |
That simply means that SSH keys won't be used to authenticate to the |
| 7 |
remote system. |
| 8 |
|
| 9 |
> How would it not prompt for a password. |
| 10 |
|
| 11 |
There is a PAM module; pam_ssh_agent_auth, which can be used to enable |
| 12 |
users to authenticate to sudo using SSH keys. This means that the user |
| 13 |
/does/ authenticate to sudo as necessary. It's just that the |
| 14 |
authentication happens behind the scenes and they don't need to enter |
| 15 |
their password. Thus you can avoid the NOPASSWD: option which means a |
| 16 |
better security posture. |
| 17 |
|
| 18 |
> I need something that will take the password from the vault (I |
| 19 |
> can do this in Python and shell-scripting. Probably also in other |
| 20 |
> scripts). Authenticating to the vault can be done on a session basis |
| 21 |
> and shared. So locally, I'd only login once. |
| 22 |
|
| 23 |
Sure. |
| 24 |
|
| 25 |
> Currently, yes. I never physically see the password as it currently |
| 26 |
> goes into the clipboard and gets wiped from there after a short time |
| 27 |
> period. Enough time to paste it into the password-prompt. It's |
| 28 |
> the copy/pasting that I am looking to automate into a single |
| 29 |
> "login-to-remote-host" script. |
| 30 |
|
| 31 |
I would not consider the copy and paste method to be secure. There are |
| 32 |
plenty of utilities to monitor the clipboard et al. and copy the new |
| 33 |
contents in extremely short order. As such, users could arrange to |
| 34 |
acquire copies of the password passing through the clipboard. |
| 35 |
|
| 36 |
I would strongly suggest exploring options that don't use the clipboard |
| 37 |
and instead retrieve the password from the vault and inject it into the |
| 38 |
remote system without using the clipboard. |
| 39 |
|
| 40 |
Or, authenticate to sudo a different way that doesn't involve a |
| 41 |
password. This will work for 90+ percent of the use cases. Meaning |
| 42 |
that the sensitive password is needed for 10 percent or less of the |
| 43 |
time. Thereby reducing the possible sensitive password exposure. }:-) |
| 44 |
|
| 45 |
> I prefer not to use SSH keys for this as they tend to exist for years |
| 46 |
> in my experience. And one unnoticed leak can open up a lot of systems. |
| 47 |
|
| 48 |
That is a valid concern. |
| 49 |
|
| 50 |
I'd strongly suggest that you research SSH /certificates/. SSH |
| 51 |
/certificates/ support a finite life time /and/ can specify what |
| 52 |
command(s) / action(s) they can be used for. |
| 53 |
|
| 54 |
My $EMPLOYER uses SSH /certificates/ that last about 8 hours. I've |
| 55 |
heard of others that use SSH /certificates/ that last for a single digit |
| 56 |
number of minutes or even seconds. The idea being that the SSH |
| 57 |
/certificate/ only lasts just long enough for it to be used for it's |
| 58 |
intended purpose and no longer. |
| 59 |
|
| 60 |
The ability to specify the command; e.g. "su -" that is allowed to be |
| 61 |
executed means that people can't use them to start any other command. }:-) |
| 62 |
|
| 63 |
> This is why I use passwords. (passwords are long random strings that |
| 64 |
> are changed regularly) |
| 65 |
|
| 66 |
Fair enough. I only counter with take a few minutes to research SSH |
| 67 |
/certificates/ and see if they are of any interest to you. |
| 68 |
|
| 69 |
|
| 70 |
|
| 71 |
-- |
| 72 |
Grant. . . . |
| 73 |
unix || die |
Archives