From owner-freebsd-questions@FreeBSD.ORG  Thu Dec 26 22:03:53 2013
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id A1D48884
 for <freebsd-questions@freebsd.org>; Thu, 26 Dec 2013 22:03:53 +0000 (UTC)
Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk
 [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 221B415BD
 for <freebsd-questions@freebsd.org>; Thu, 26 Dec 2013 22:03:52 +0000 (UTC)
Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk
 [81.2.117.99]) (authenticated bits=0)
 by smtp.infracaninophile.co.uk (8.14.7/8.14.7) with ESMTP id rBQM3lUV007931
 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO)
 for <freebsd-questions@freebsd.org>; Thu, 26 Dec 2013 22:03:47 GMT
 (envelope-from m.seaman@infracaninophile.co.uk)
DKIM-Filter: OpenDKIM Filter v2.8.3 smtp.infracaninophile.co.uk rBQM3lUV007931
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=infracaninophile.co.uk; s=201001-infracaninophile; t=1388095427;
 bh=Sj6++gEVAZ+REzDMonnBQXeQGr+Ypjt0K/xP6g8nOS4=;
 h=Date:From:To:Subject:References:In-Reply-To;
 z=Date:=20Thu,=2026=20Dec=202013=2022:03:38=20+0000|From:=20Matthew
 =20Seaman=20<m.seaman@infracaninophile.co.uk>|To:=20freebsd-questi
 ons@freebsd.org|Subject:=20Re:=20which=20is=20better=20for=20sudo:
 =20ldap=20accounts=20or=20sudo=20auto=20via=20ssh=0D=0A=20keys?|Re
 ferences:=20<CACcSE1wxd3fmV+xNTpa1LDLS+mausd6vBHX3Yui8KyuU=3DEwCVQ
 @mail.gmail.com>|In-Reply-To:=20<CACcSE1wxd3fmV+xNTpa1LDLS+mausd6v
 BHX3Yui8KyuU=3DEwCVQ@mail.gmail.com>;
 b=YSiOYGuABkcHqzpWsceN4Pqt1krulMrv6wUz6pMpKhQJoL025jcBySWc6c0tPRVlj
 Qrw9al2OO+vOQCQ7w0GXbQnTzGMaBBJKAcCgeDY2PnL1YwVpxuDFQL9ZUpRvjInvhP
 TbgZjWb931vrij3mVA/9IFHdTw+YgY4qznKK2zeE=
Message-ID: <52BCA7BA.7050200@infracaninophile.co.uk>
Date: Thu, 26 Dec 2013 22:03:38 +0000
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6;
 rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Subject: Re: which is better for sudo: ldap accounts or sudo auto via ssh keys?
References: <CACcSE1wxd3fmV+xNTpa1LDLS+mausd6vBHX3Yui8KyuU=EwCVQ@mail.gmail.com>
In-Reply-To: <CACcSE1wxd3fmV+xNTpa1LDLS+mausd6vBHX3Yui8KyuU=EwCVQ@mail.gmail.com>
X-Enigmail-Version: 1.6
OpenPGP: id=E7F39EBF
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="2fbbJCpXBTwSHSG2wQLiQjnFrE8tKkxqN"
X-Virus-Scanned: clamav-milter 0.98 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.5 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,
 DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU autolearn=ham version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
 lucid-nonsense.infracaninophile.co.uk
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Dec 2013 22:03:53 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--2fbbJCpXBTwSHSG2wQLiQjnFrE8tKkxqN
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 26/12/2013 21:02, Aleksandr Miroslav wrote:
> I have a bunch of servers that I'm trying to tighten down.
>=20
> From a security standpoint, which would be more secure:
>=20
> - having users login from an ldap account and use that same password
> to authorize themselves to sudo
>=20
>=20
> - or do away with passwords entirely and have them login with ssh keys
> only (easy to do) and then authenticate to sudo with ssh keys (from a
> search, apparently this is doable). I would also like to enforce that
> the ssh-keys have passwords on them

ssh keys are the way to go here.  In fact, I'd recommend disabling use
of passwords with ssh entirely, and relying on key based auth.

The problem with passwords is that you've either got to store them in
your authentication database in plain, or you've got to transmit them
across the network in plain (although protected by TLS).  This means
that passwords tend to escape, and that blows your security wide open.
Also there's very few people that can choose or remember appropriately
strong passwords worth a damn[*].

SSH keys simply don't suffer from this weakness, and it's perfectly OK
to make the public keys readily available.  If you can enforce your
password policy (which you'll have to do by education and consensus, as
there's nothing in SSH itself to require use of passphrases on keys),
then anyone trying to break in by stealing SSH keys will also need to
obtain the matching passphrases, so that's reasonable extra security.

=46rom a day-to-day usability perspective, using gpg-agent as the local
keystore for SSH keys seem the best procedure: unlike ssh-agent, it will
require you to re-auth after a certain period of inactivity, and it
keeps the keys encrypted in RAM during operation.

LDAP pubkey I haven't played with in a while, but last time I did, it
worked well.  security/pam_ssh_agent_auth works like a charm, although I
have generally been storing the authorized keys in a text file on each
server.  Not sure if you can hook it up to LDAP pubkey,
but well worth investigating.

	Cheers,

	Matthew

[*] The XKCD method not withstanding.

--=20
Dr Matthew J Seaman MA, D.Phil.

PGP: http://www.infracaninophile.co.uk/pgpkey
JID: matthew@infracaninophile.co.uk


--2fbbJCpXBTwSHSG2wQLiQjnFrE8tKkxqN
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJ8BAEBCgBmBQJSvKfDXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkAT52gP/jD4OLELuPsNZCBUZ/bWpbO3
cqdbt1lfdoib9JKtIGY+I9Fg5l0iwhYrnVE65Ci48EbPRhpQM/tzpjsmuIERkq9D
fpONvbskwRzBqe7UxCbjXtvLASUKY2jlHdXXgGNSFB/Ts7F90FJHEjfGtEMn3CTO
l4cT7aR9+y248SFs+qBRpejoq8NeHBsnuWzOBCkWA8Ctb0eMJHu9gjGpGNyKeCHf
TB2B2Pzs1NZvCwyXuIfcFS2o8G+2SeTMGZkKmEvfGpbWWoc3KDynJ6AOk6CnEBOM
rvb+lVw386FGDCtHMDJpMPvstFRGTTwwuTzr2A1VF8ug9cLRj0hSRym450iGtmEu
hsW0c8njX/KnnSbWtKVY2Czbkco5m5Jn5aQgawXUPU+4TkhB1c1pXcDwbKzTANdF
dQv66N6yjwSwz6rGfF76TQl9RQ+pBNykiVMJixUeDwScJdoJdveHVXj0iPhwVist
VcrO3RHhtYZI/bKn9TGC7Jc3VcAuAFRhdYUvBWzQ0aQVhXzlfpWcLdXwt1ew10Hu
Z5rDhvHpkGZt40A02eB576Z2tqvNFYRbgUYNGERQueNk3XB3ciaP168h6ct4dnFf
0sk8RVV2pYiPwMtSVwpagY9rIPMv3cXYvrPTmO8WEGqX9Tx9Bwz0YBzX5y3xEEHX
tpoDJOCEA7AhK42x8KkQ
=VmEu
-----END PGP SIGNATURE-----

--2fbbJCpXBTwSHSG2wQLiQjnFrE8tKkxqN--