From owner-freebsd-questions@freebsd.org Mon Mar 13 17:45:49 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61A47D0A1AA for ; Mon, 13 Mar 2017 17:45:49 +0000 (UTC) (envelope-from solene@perso.pw) Received: from perso.pw (perso.pw [163.172.223.238]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "tesseract.perso.pw", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E2B9F1D83 for ; Mon, 13 Mar 2017 17:45:47 +0000 (UTC) (envelope-from solene@perso.pw) Received: from perso.pw (localhost [127.0.0.1]) by perso.pw (OpenSMTPD) with ESMTP id 60791621 for ; Mon, 13 Mar 2017 18:39:05 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=perso.pw; h=mime-version :content-type:content-transfer-encoding:date:from:to:subject :in-reply-to:references:message-id; s=1337; bh=M7jIddeYndFvsL7xK FLoW2MTaro=; b=J4IQnyIKCqFZ/Imp+7vYWC6274f64OCd3uRKiUFfTRQFjhPCS tgXTc8ePY7nlyT1RNy4yE3HVYlzLqRMW43VnOpo+X3TbcXcs2tYwOwI7NHY51ziT TypTu5rwZLLrGNm54C397cc1JR9GAl1LqBVMmUz+2THc4OA19Y7ClT5BfU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=perso.pw; h=mime-version :content-type:content-transfer-encoding:date:from:to:subject :in-reply-to:references:message-id; q=dns; s=1337; b=Z5/ym+FnkOb 15gWZPBkmsu6lJI3giSwFZJ2Zj2n5vGBq7UvO+ySwdg0NDWhwJNgv5WGTEuxzfdH XjHl5zBkkMTpgejnms9zRidDr5L/TRsHktt9eIHIFFzvCJiZW4uYLDZqMSi+zacy a2dXnyVqD+TUAFWGEVuqYP0CoQbMPTZg= Received: from tesseract.perso.pw (localhost [127.0.0.1]) by perso.pw (OpenSMTPD) with ESMTP id 5adaedc2 for ; Mon, 13 Mar 2017 18:39:05 +0100 (CET) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Mon, 13 Mar 2017 18:39:05 +0100 From: =?UTF-8?Q?Sol=C3=A8ne_Rapenne?= To: FreeBSD Questions Subject: Re: sudo alternatives; for the minimalists In-Reply-To: <20170313173427.GA83078@geeks.org> References: <58C6BDC0.7070307@omnilan.de> <58C6D50B.8030803@omnilan.de> <20170313173427.GA83078@geeks.org> Message-ID: <6a2eb36b9d6c0d80383287e3fa20ebc7@perso.pw> X-Sender: solene@perso.pw User-Agent: Roundcube Webmail/1.2.3 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Mar 2017 17:45:49 -0000 Le 2017-03-13 18:34, Doug McIntyre a écrit : > On Mon, Mar 13, 2017 at 06:21:15PM +0100, Harry Schmalzbauer wrote: >> Bezüglich Phil Eaton's Nachricht vom 13.03.2017 16:48 (localtime): >> > How do you feel about the security/doas port from OpenBSD? >> >> Thanks, most likely worth a look. But it has no credentials caching, >> does it? >> That's my most wanted feature, otherwise I'm still fine with su (no >> classic user privileging needed, only for admin tasks) > > I think you are collapsing two features into one with this requirement, > and I'm not sure what you are expecting. > > One way to do what I think you are looking for is you can use SSH > public-key auth to PAM authenticate in as root priviledges into a > server. > > eg. see this discussion thread. > > https://forums.freebsd.org/threads/35645/ > > > Another way keychain/SSH is used, is as an ssh-agent (probably likely > of what you are looking for) > > I was trying to find a decent web page (ie. more than a mention > of how to run ssh-agent), but ran across a wrapper that did a bit > more with it for you. > > http://www.funtoo.org/index.php?title=Keychain > > with links to a better description of ssh-agent and using it, even if > they are a bit dated (ie. ignore the part about DSA keys altogether). > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" I was about to answer the same thing. Set PermitRootLogin to allow authentication with keys, and use ssh-agent as your regular user to cache the private key password. And then, create an alias with alias sudo="ssh root@localhost" and you are done. So : as user : - ssh-keygen # create your private key with password as root : - modifiy /etc/ssh/sshd_config and set "PermitRootLogin prohibit-password" - /etc/rc.d/sshd restart - mkdir -p /root/.ssh/ - cat /home/user/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys