From owner-freebsd-questions@freebsd.org  Mon Mar 13 17:34:36 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D25CFD0A825
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Mon, 13 Mar 2017 17:34:36 +0000 (UTC)
 (envelope-from merlyn@geeks.org)
Received: from mail.geeks.org (mail.geeks.org [IPv6:2001:4980:3333:1::1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id B7EA510A5
 for <freebsd-questions@freebsd.org>; Mon, 13 Mar 2017 17:34:36 +0000 (UTC)
 (envelope-from merlyn@geeks.org)
Received: from mail.geeks.org (localhost [127.0.0.1])
 by after-clamsmtpd.geeks.org (Postfix) with ESMTP id A38FA110237;
 Mon, 13 Mar 2017 12:34:27 -0500 (CDT)
Received: by mail.geeks.org (Postfix, from userid 1003)
 id 835D8110236; Mon, 13 Mar 2017 12:34:27 -0500 (CDT)
Date: Mon, 13 Mar 2017 12:34:27 -0500
From: Doug McIntyre <merlyn@geeks.org>
To: Harry Schmalzbauer <freebsd@omnilan.de>
Cc: FreeBSD Questions !!!! <freebsd-questions@freebsd.org>
Subject: Re: sudo alternatives; for the minimalists
Message-ID: <20170313173427.GA83078@geeks.org>
References: <58C6BDC0.7070307@omnilan.de>
 <CAByiw+p0cM+O-wd8uoo0Kp8BNEiQvrrmQuK858ALAR9bTfJThA@mail.gmail.com>
 <58C6D50B.8030803@omnilan.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <58C6D50B.8030803@omnilan.de>
User-Agent: Mutt/1.8.0 (2017-02-23)
X-Virus-Scanned: ClamAV using ClamSMTP
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 17:34:36 -0000

On Mon, Mar 13, 2017 at 06:21:15PM +0100, Harry Schmalzbauer wrote:
> Bezüglich Phil Eaton's Nachricht vom 13.03.2017 16:48 (localtime):
> > How do you feel about the security/doas port from OpenBSD?
> 
> Thanks, most likely worth a look. But it has no credentials caching,
> does it?
> That's my most wanted feature, otherwise I'm still fine with su (no
> classic user privileging needed, only for admin tasks)

I think you are collapsing two features into one with this requirement,
and I'm not sure what you are expecting.

One way to do what I think you are looking for is you can use SSH
public-key auth to PAM authenticate in as root priviledges into a server.

eg. see this discussion thread.

https://forums.freebsd.org/threads/35645/


Another way keychain/SSH is used, is as an ssh-agent (probably likely
of what you are looking for)

I was trying to find a decent web page (ie. more than a mention
of how to run ssh-agent), but ran across a wrapper that did a bit
more with it for you.

http://www.funtoo.org/index.php?title=Keychain

with links to a better description of ssh-agent and using it, even if
they are a bit dated (ie. ignore the part about DSA keys altogether).