On 7/14/22 9:56 AM, Neil Bothwick wrote:
That is true, but it is also true about the current setup as that
also gives root access. I get the impression that Joost is looking
for a more convenient approach that does not reduce security, which
is true here...
I'm all for being /more/ secure, especially when doing so can be made to
appear to be /simpler/ for the end user.
I think the quintessential example of this is authenticating to sudo
with SSH keys via SSH agent forwarding. It eliminates the password
prompt or the NOPASSWD: option. Either way, you have better security
posture (always authenticated) and / or users have a better experience
(no password prompt).
Well, almost true.
Please elaborate.
I consider it fairly difficult for non-root users to get a copy of the
/etc/shadow file on most systems. Conversely, SSH private key files
tend to ... leak / be forgotten.
--
Grant. . . .
unix || die