How to make sudo authorization with ssh key?

U

Unicom2016-02-24 07:28:01

linux

Unicom, 2016-02-24 07:28:01

The bottom line is:

Made a user, gave him sudo, disabled password authentication, disabled root login
Every time you ask sudo it asks for a password.
If the password is removed or made unreliable (now more than 20 characters), this is, as they say, a hole, but in general, why the heck is a goat button accordion and why, when refusing a password when logging in to the server, do I now need to enter a password to confirm root rights? The logic is more than completely inconsistent.

There must be one thing:

Or refusal to authorize by passwords and authorization only by key is a sufficient measure and you don’t need to remove root anywhere
Or you need to make consistent authorization, i.e. sudo should not ask the user for a password, but an RSA key from the ssh client.

There is another option to completely remove the password from sudo, but then what's the point in it at all? This will essentially be the same root with a step (the need to enter each sneeze through sudo)
I decided to go the second way and do authorization through ssh keys, and use pam_ssh_agent_auth I did it
according to this instruction:
mike.depalatis.net/ssh-agent-for-sudo -authenticati...
The result is null - it still requires a password. There is a rather big chance that I screwed up somewhere because the instruction is completely jammed at the end - I don’t quite understand what is there and how.
What thoughts?

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

M

mikes, 2016-02-24
@mikes

if you have a user who constantly works with root rights, then there are options
1. include him in the root group
2. just enable the root login and not worry about the user account
3. write the necessary commands in sudoers that will be executed for him without asking for a password.
4. use sudo -i and continue as root by entering your password only 1 time.

A

aol-nnov, 2016-02-24
@aol-nnov

and how about

PermitRootLogin without-password

and add root to authorizrd_keys your key?
and not think about anything?
how it will be less secure than authorization by the key of a simple user, and then authorization in court with the same key?

Y

Yuri Chudnovsky, 2016-02-24
@Frankenstine

Actually, ssh and sudo are completely different things. If you want by key, then
1) enter some short name for the computer in /etc/hosts, for example 127.0.0.1 me
2) put the root key
3) instead of sudo -s do ssh [email protected]
Of course, you will not be able to run GUI programs (add -X).

A

Andrey Veklichev, 2016-03-07
@wzooff

My thoughts and how I do it at home :)
The password for sssh is not allowed - so as not to be picked up. Exit - use the keys (as it were clear)
The password must be complex, simply because you never know. Generated, recorded, locked up.
The administrator must have an account not equal to root, for example, newroot. To not guess. Because bots often break under root.
And also change the port ...
Do sudo without a password :) because it's convenient.
Well, you need to understand that there must be different users in the system. Ie, as it were, root is a system one, and your neroot will be for the admin. And www-data is for the web server. And then it will be clear who broke what and why you went to the server drunk (well, if there are logs). Something like this...