On 09/12/13 02:59, Michael W. Lucas wrote:
Hi,
I've noticed that the sudo on OpenBSD seems to have !ttytickets set by
default. In other words, I authenticate sudo once on, say, ttyp4, and
all of my login sessions on all my other ttyp* have authenticated to
sudo.
This, well, kind of surprised me. I'm sure you folks have thought this
through in much more detail than I have, but I can't find anything on
the rationale behind it.
It seems insecure. Can anyone enlighten me as to the thinking here?
Thanks,
==ml
FWIW, I tend to append this to /etc/sudoers:
- - - -
# Local settings
Defaults passprompt="Sudo password (%u@%h):", \
tty_tickets, \
passwd_timeout=0, \
timestamp_timeout=60
%wheel ALL=(ALL:ALL) SETENV: ALL
- - - -
Meaning I do use the 'per-tty' sudo ticket, extending the timeout to 60
minutes. Some issues remain though;
- Making sure to 'sudo -k' on leaving the shell (or, rather, tty).
'trap' helps here, at least a bit, but I'm not sure I catch 100%
of the cases.
- If you don't have a tty (ssh -T $HOST sudo $whatever), calling it
again won't prompt for a password. (sudo -k $whatever would, however)
I'm sure there are more potential flaws with the setup. Call it security
by obscurity if you please, but it makes me feel a tad better about
upping the timeout.
The passprompt change is really helpful at times though, not to be
mistaken for an ssh password, a sudo password on another machine or sth
else.
/Alexander