Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 26 Dec 2013 22:03:38 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        freebsd-questions@freebsd.org
Subject:   Re: which is better for sudo: ldap accounts or sudo auto via ssh keys?
Message-ID:  <52BCA7BA.7050200@infracaninophile.co.uk>
In-Reply-To: <CACcSE1wxd3fmV+xNTpa1LDLS+mausd6vBHX3Yui8KyuU=EwCVQ@mail.gmail.com>
References:  <CACcSE1wxd3fmV+xNTpa1LDLS+mausd6vBHX3Yui8KyuU=EwCVQ@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--2fbbJCpXBTwSHSG2wQLiQjnFrE8tKkxqN
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 26/12/2013 21:02, Aleksandr Miroslav wrote:
> I have a bunch of servers that I'm trying to tighten down.
>=20
> From a security standpoint, which would be more secure:
>=20
> - having users login from an ldap account and use that same password
> to authorize themselves to sudo
>=20
>=20
> - or do away with passwords entirely and have them login with ssh keys
> only (easy to do) and then authenticate to sudo with ssh keys (from a
> search, apparently this is doable). I would also like to enforce that
> the ssh-keys have passwords on them

ssh keys are the way to go here.  In fact, I'd recommend disabling use
of passwords with ssh entirely, and relying on key based auth.

The problem with passwords is that you've either got to store them in
your authentication database in plain, or you've got to transmit them
across the network in plain (although protected by TLS).  This means
that passwords tend to escape, and that blows your security wide open.
Also there's very few people that can choose or remember appropriately
strong passwords worth a damn[*].

SSH keys simply don't suffer from this weakness, and it's perfectly OK
to make the public keys readily available.  If you can enforce your
password policy (which you'll have to do by education and consensus, as
there's nothing in SSH itself to require use of passphrases on keys),
then anyone trying to break in by stealing SSH keys will also need to
obtain the matching passphrases, so that's reasonable extra security.

=46rom a day-to-day usability perspective, using gpg-agent as the local
keystore for SSH keys seem the best procedure: unlike ssh-agent, it will
require you to re-auth after a certain period of inactivity, and it
keeps the keys encrypted in RAM during operation.

LDAP pubkey I haven't played with in a while, but last time I did, it
worked well.  security/pam_ssh_agent_auth works like a charm, although I
have generally been storing the authorized keys in a text file on each
server.  Not sure if you can hook it up to LDAP pubkey,
but well worth investigating.

	Cheers,

	Matthew

[*] The XKCD method not withstanding.

--=20
Dr Matthew J Seaman MA, D.Phil.

PGP: http://www.infracaninophile.co.uk/pgpkey
JID: matthew@infracaninophile.co.uk


--2fbbJCpXBTwSHSG2wQLiQjnFrE8tKkxqN
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJ8BAEBCgBmBQJSvKfDXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkAT52gP/jD4OLELuPsNZCBUZ/bWpbO3
cqdbt1lfdoib9JKtIGY+I9Fg5l0iwhYrnVE65Ci48EbPRhpQM/tzpjsmuIERkq9D
fpONvbskwRzBqe7UxCbjXtvLASUKY2jlHdXXgGNSFB/Ts7F90FJHEjfGtEMn3CTO
l4cT7aR9+y248SFs+qBRpejoq8NeHBsnuWzOBCkWA8Ctb0eMJHu9gjGpGNyKeCHf
TB2B2Pzs1NZvCwyXuIfcFS2o8G+2SeTMGZkKmEvfGpbWWoc3KDynJ6AOk6CnEBOM
rvb+lVw386FGDCtHMDJpMPvstFRGTTwwuTzr2A1VF8ug9cLRj0hSRym450iGtmEu
hsW0c8njX/KnnSbWtKVY2Czbkco5m5Jn5aQgawXUPU+4TkhB1c1pXcDwbKzTANdF
dQv66N6yjwSwz6rGfF76TQl9RQ+pBNykiVMJixUeDwScJdoJdveHVXj0iPhwVist
VcrO3RHhtYZI/bKn9TGC7Jc3VcAuAFRhdYUvBWzQ0aQVhXzlfpWcLdXwt1ew10Hu
Z5rDhvHpkGZt40A02eB576Z2tqvNFYRbgUYNGERQueNk3XB3ciaP168h6ct4dnFf
0sk8RVV2pYiPwMtSVwpagY9rIPMv3cXYvrPTmO8WEGqX9Tx9Bwz0YBzX5y3xEEHX
tpoDJOCEA7AhK42x8KkQ
=VmEu
-----END PGP SIGNATURE-----

--2fbbJCpXBTwSHSG2wQLiQjnFrE8tKkxqN--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?52BCA7BA.7050200>