[Tfug] using ssh key for sudo auth?

Jeremy C. Reed reed at reedmedia.net
Mon May 7 23:14:49 MST 2007 

On Mon, 7 May 2007, Chad Woolley wrote:

> The use_loginclass looks promising, but I don't really understand how
> to use it (or what a loginclass is).

I don't recall ever seeing or using login classes on any Linux systems. 
(It is probably not available and sudo isn't built with that support on 
Linux.)

login classes on BSD systems setup resource limits, environment variables 
and types of authentication, and more.

Your login class is defined in the BSD master.passwd (not in /etc/passwd 
and /etc/shadow doesn't have it, but maybe the "reserved" field could be 
used for it).

This is a poor example, but my BSD workstation has /etc/login.conf with:

dummy:maxproc=5:

And the /etc/master.passwd's fifth field defines your login.class:

dummy:vt759hdfjhsgdf:1004:100:dummy:0:0::/home/dummy:/bin/csh

Or empty is "default". Here is an example (but commented out):

#default:\
#       :path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin:\
#       :umask=022:\
#       :datasize-max=512M:\
#       :datasize-cur=512M:\
#       :maxproc-max=128:\
#       :maxproc-cur=64:\
#       :openfiles-cur=64:\
#       :stacksize-cur=4M:


Now back to sudoers and sudo man page ... It looks like it can apply those 
settings when you use sudo.

But it also can use login.conf with "BSD Auth" to use the authentication 
type defined in login.conf. As far as I know this is only available on 
OpenBSD and maybe BSD/OS but never probably never tested and not on other 
BSDs. The other BSDs do have a login.conf that has simple authentication 
features, but they don't use "BSD Auth" but use OpenPAM and I don't know 
if that is supported with the login.conf yet. OpenBSD's 
login.conf/BSD auth can define authentication like "activcard token", 
cryptocard token, kerberos 5, radius, S/Key, SecureNet key token, x9.9 
token (and normal master.passwd database). I don't see anything related to 
ssh there. But it also can do authentication based on an outside "approve" 
authentication program. I haven't found examples yet and I haven't done 
this myself.

Anyways, I have used various systems that do not allow any logins 
authenticated without keys and they have no root password or sudo has 
NOPASSWD. Maybe you can just created dedicated users that can't login via 
ssh without key and sudoers with NOPASSWD if that is what you want.



  Jeremy C. Reed

More information about the tfug mailing list