From owner-freebsd-questions@FreeBSD.ORG Thu Dec 26 23:16:06 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2F473C6C for ; Thu, 26 Dec 2013 23:16:06 +0000 (UTC) Received: from mail-oa0-f51.google.com (mail-oa0-f51.google.com [209.85.219.51]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E80011A46 for ; Thu, 26 Dec 2013 23:16:05 +0000 (UTC) Received: by mail-oa0-f51.google.com with SMTP id i7so9178968oag.10 for ; Thu, 26 Dec 2013 15:15:59 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=+3BsSgtoijNSZpAyMelYl2j6lgUSQPiWAu8VFlj4lTo=; b=GpjUGhGBGDE2kT/Df2e1jOtGlkuJ1m/yVwZAlFFxP+Mfnn6fCss6DW9lsiCIq2IMbe ohQI0PX6mvXQs4IjI+VdF8NgCCpEgYKmYvok8/LQidrEGi1ImZFUXLfVExM7af1juYBl f7gUezroVX5AEx7BGAWT4qSXbgE2jFD/vEpJJN/dSO8fhoygkBIqHkBs7F6Pr04iPpyI 7BP4R+pvm1k5e03mhgGe42Bci0W4esBVvW4sy9I/0p+iLIeUBxT4T8Win1BJtCmCf0TY AYTbKgGot38IULM5+cwpbfwDdz/8zwW6l5oppPGbkzxGhNCJU1dpq7TZhiR82fwZ+qJR W4NA== X-Gm-Message-State: ALoCoQkRaGpCyTEs2ooCX4D0oW3r6Ybc/oDamiHMaUH3OWPaCAbE4fACT5Uy6zg6jsy2qnkDBT/u MIME-Version: 1.0 X-Received: by 10.60.39.99 with SMTP id o3mr6823267oek.49.1388096166462; Thu, 26 Dec 2013 14:16:06 -0800 (PST) Received: by 10.60.92.99 with HTTP; Thu, 26 Dec 2013 14:16:06 -0800 (PST) In-Reply-To: <52BCA7BA.7050200@infracaninophile.co.uk> References: <52BCA7BA.7050200@infracaninophile.co.uk> Date: Thu, 26 Dec 2013 14:16:06 -0800 Message-ID: Subject: Re: which is better for sudo: ldap accounts or sudo auto via ssh keys? From: Michael Sierchio To: Matthew Seaman Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Dec 2013 23:16:06 -0000 On Thu, Dec 26, 2013 at 2:03 PM, Matthew Seaman < m.seaman@infracaninophile.co.uk> wrote: > On 26/12/2013 21:02, Aleksandr Miroslav wrote: > > I have a bunch of servers that I'm trying to tighten down. > > > > From a security standpoint, which would be more secure: > > > > - having users login from an ldap account and use that same password > > to authorize themselves to sudo > > > > > > - or do away with passwords entirely and have them login with ssh keys > > only (easy to do) and then authenticate to sudo with ssh keys (from a > > search, apparently this is doable). I would also like to enforce that > > the ssh-keys have passwords on them > > ssh keys are the way to go here. In fact, I'd recommend disabling use > of passwords with ssh entirely, and relying on key based auth. > > The problem with pubkey auth is that it conflates authentication with authorization - you can avoid this if you centrally manage where sshd looks for users' pubkeys, but it's still imperfect. My $0.02 - use multi-factor auth, key-based + TOTP. You can easily (starting with 9.2) integrate Google Authenticator with pubkey auth for SSH. You users then see something like this: msierchio@lada:~ > ssh nardo Authenticated with partial success. Verification code: My /etc/pam.d/sshd contains auth required /usr/local/lib/pam_google_authenticator.so secret=/etc/totp/${USER}/.google_authenticator - M