Date: Thu, 26 Dec 2013 22:03:38 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@freebsd.org Subject: Re: which is better for sudo: ldap accounts or sudo auto via ssh keys? Message-ID: <52BCA7BA.7050200@infracaninophile.co.uk> In-Reply-To: <CACcSE1wxd3fmV%2BxNTpa1LDLS%2Bmausd6vBHX3Yui8KyuU=EwCVQ@mail.gmail.com> References: <CACcSE1wxd3fmV%2BxNTpa1LDLS%2Bmausd6vBHX3Yui8KyuU=EwCVQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --2fbbJCpXBTwSHSG2wQLiQjnFrE8tKkxqN Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 26/12/2013 21:02, Aleksandr Miroslav wrote: > I have a bunch of servers that I'm trying to tighten down. >=20 > From a security standpoint, which would be more secure: >=20 > - having users login from an ldap account and use that same password > to authorize themselves to sudo >=20 >=20 > - or do away with passwords entirely and have them login with ssh keys > only (easy to do) and then authenticate to sudo with ssh keys (from a > search, apparently this is doable). I would also like to enforce that > the ssh-keys have passwords on them ssh keys are the way to go here. In fact, I'd recommend disabling use of passwords with ssh entirely, and relying on key based auth. The problem with passwords is that you've either got to store them in your authentication database in plain, or you've got to transmit them across the network in plain (although protected by TLS). This means that passwords tend to escape, and that blows your security wide open. Also there's very few people that can choose or remember appropriately strong passwords worth a damn[*]. SSH keys simply don't suffer from this weakness, and it's perfectly OK to make the public keys readily available. If you can enforce your password policy (which you'll have to do by education and consensus, as there's nothing in SSH itself to require use of passphrases on keys), then anyone trying to break in by stealing SSH keys will also need to obtain the matching passphrases, so that's reasonable extra security. =46rom a day-to-day usability perspective, using gpg-agent as the local keystore for SSH keys seem the best procedure: unlike ssh-agent, it will require you to re-auth after a certain period of inactivity, and it keeps the keys encrypted in RAM during operation. LDAP pubkey I haven't played with in a while, but last time I did, it worked well. security/pam_ssh_agent_auth works like a charm, although I have generally been storing the authorized keys in a text file on each server. Not sure if you can hook it up to LDAP pubkey, but well worth investigating. Cheers, Matthew [*] The XKCD method not withstanding. --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey JID: matthew@infracaninophile.co.uk --2fbbJCpXBTwSHSG2wQLiQjnFrE8tKkxqN Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJSvKfDXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkAT52gP/jD4OLELuPsNZCBUZ/bWpbO3 cqdbt1lfdoib9JKtIGY+I9Fg5l0iwhYrnVE65Ci48EbPRhpQM/tzpjsmuIERkq9D fpONvbskwRzBqe7UxCbjXtvLASUKY2jlHdXXgGNSFB/Ts7F90FJHEjfGtEMn3CTO l4cT7aR9+y248SFs+qBRpejoq8NeHBsnuWzOBCkWA8Ctb0eMJHu9gjGpGNyKeCHf TB2B2Pzs1NZvCwyXuIfcFS2o8G+2SeTMGZkKmEvfGpbWWoc3KDynJ6AOk6CnEBOM rvb+lVw386FGDCtHMDJpMPvstFRGTTwwuTzr2A1VF8ug9cLRj0hSRym450iGtmEu hsW0c8njX/KnnSbWtKVY2Czbkco5m5Jn5aQgawXUPU+4TkhB1c1pXcDwbKzTANdF dQv66N6yjwSwz6rGfF76TQl9RQ+pBNykiVMJixUeDwScJdoJdveHVXj0iPhwVist VcrO3RHhtYZI/bKn9TGC7Jc3VcAuAFRhdYUvBWzQ0aQVhXzlfpWcLdXwt1ew10Hu Z5rDhvHpkGZt40A02eB576Z2tqvNFYRbgUYNGERQueNk3XB3ciaP168h6ct4dnFf 0sk8RVV2pYiPwMtSVwpagY9rIPMv3cXYvrPTmO8WEGqX9Tx9Bwz0YBzX5y3xEEHX tpoDJOCEA7AhK42x8KkQ =VmEu -----END PGP SIGNATURE----- --2fbbJCpXBTwSHSG2wQLiQjnFrE8tKkxqN--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52BCA7BA.7050200>