From owner-freebsd-security Wed Mar 27 10:33:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from switchblade.cyberpunkz.org (switchblade.cyberpunkz.org [198.174.169.125]) by hub.freebsd.org (Postfix) with ESMTP id AA40B37B405 for ; Wed, 27 Mar 2002 10:33:22 -0800 (PST) Received: from switchblade.cyberpunkz.org (rob@localhost.cyberpunkz.org [127.0.0.1]) by switchblade.cyberpunkz.org (8.12.2/8.12.2-rda) with ESMTP id g2RIXKIN037154 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Wed, 27 Mar 2002 12:33:21 -0600 (CST)?g (envelope-from rob@switchblade.cyberpunkz.org)œ Posted-Date: Wed, 27 Mar 2002 12:33:21 -0600 (CST) Abuse-Contact: abuse@cyberpunkz.org Received: (from rob@localhost) by switchblade.cyberpunkz.org (8.12.2/8.12.1/Submit) id g2RIXK2p037153 for security@freebsd.org; Wed, 27 Mar 2002 12:33:20 -0600 (CST)?g (envelope-from rob) Date: Wed, 27 Mar 2002 12:33:20 -0600 From: Rob Andrews To: security@freebsd.org Subject: sudo.. a better way maybe? Message-ID: <20020327123320.T82300@switchblade.cyberpunkz.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="PmA2V3Z32TCmWXqI" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Organization: Cyberpunk Alliance Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --PmA2V3Z32TCmWXqI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I've had some thoughts about sudo after the dialog about su earlier. Thought maybe someone might be able to shed some light on something I've been attempting to figure out how to put into action on machines of mine. While I've heard it being done I have yet to see any real support or documentation which might help me to support the following. Sudo is safe provided that a users password and account are not compromised by an outside forced intrusion. However. In the event that someone does gain access to a user account which does have sudo permission on the machine (This happened during a period where there was an openssh bug which allowed users on another system to gain passwords being used by other system users which were logging into remote system via the hacked system) it would be a simple thing to just sudo with the users current password which they already have in hand. I've seen this done on linux systems and when we attempted to do much the same thing on a freebsd system it choked and died on us. Using pam we wanted to create a new sudo password file which pam would use to authenticate the user. Our attempts failed at the time due to sudo ending up crashing after repeated attempts to access the password file. It just made sense to attempt to do a compare of the users current system password and fail that password for sudo should a user attempt to use it. Forcing the user to pick a new password that is in a separate database from the regular password file gives a small comfort zone that before was not able to be used with regard to sudo. If anyone has any ideas or documentation dealing with this subject I'd be most appreciative for pointing me in the correct direction. I don't really like having the only way to gain access to the systems with rsa keypairs, but thusfar it seemed like the most logical solution to the problem I was having. I mean its not completely safe either way. But the lack of plaintext passwords was the best alternative to my concerns about sudo access. Thanks in advance.. Rob Andrews http://cyberpunkz.org/ --PmA2V3Z32TCmWXqI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8ohBvAXwJ9YLqJJURAsILAJ4q3n5xLU1Gadi4+VF7E6rHH7K8kwCeIt3J KrAAuDBvLR3yL0xXKZsgAjE= =ugbu -----END PGP SIGNATURE----- --PmA2V3Z32TCmWXqI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message