Re: doas prompting for password in script
On 2016-12-15, Ax0nwrote: > I don't know how doas is keeping track of a session. It's using a kernel "verified auth" feature. See tty(4) : TIOCCHKVERAUTH void Check the verified auth status of this session. The calling process must have the same real user ID and parent process as the process which called TIOCSETVERAUTH. A zero return indicates success.
Re: doas prompting for password in script
On 15 December 2016 at 10:42, tronddwrote: > On Thu, December 15, 2016 12:28 pm, Ax0n wrote: >> I don't know how doas is keeping track of a session. If it's by >> interactive >> tty session only, that could cause problems with non-interactive scripts. >> I'll let someone closer to the code answer that question. >> > > It's tied to the shell. > > http://www.tedunangst.com/flak/post/doas-mastery > > "If you have multiple shell logins to a machine, each login will require > authentication. Additionally, the authentication information includes the > parent shell process ID. This means that executing doas again in a shell > script will require authentication." > Ah, I knew I should have checked Ted's blog!
Re: doas prompting for password in script
On Thu, December 15, 2016 12:28 pm, Ax0n wrote: > I don't know how doas is keeping track of a session. If it's by > interactive > tty session only, that could cause problems with non-interactive scripts. > I'll let someone closer to the code answer that question. > It's tied to the shell. http://www.tedunangst.com/flak/post/doas-mastery "If you have multiple shell logins to a machine, each login will require authentication. Additionally, the authentication information includes the parent shell process ID. This means that executing doas again in a shell script will require authentication." > On Thu, Dec 15, 2016 at 11:25 AM, jungle Boogie> wrote: > >> On 15 December 2016 at 09:21, Ax0n wrote: >> > In -CURRENT, doas.conf has a "persist" keyword that will only prompt >> once >> > per session. This isn't available in OpenBSD 6.0, but should work when >> 6.1 >> > is released. Here's a fairly minimal rule that would allow wheel group >> users >> > to do whatever they want with doas after authenticating once: >> >> DOH! I forgot to mention that I'm running a snapshot from this morning. >> >> OpenBSD 6.0-current (GENERIC.MP) #38: Thu Dec 15 08:24:17 MST 2016 >> bu...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP >> >> by doas.conf: >> permit persist :wheel >> permit persist keepenv jungle as root >> >> With this, should I be re-prompted for the password? >> >> >> -- >> --- >> inum: 883510009027723 >> sip: jungleboo...@sip2sip.info
Re: doas prompting for password in script
I don't know how doas is keeping track of a session. If it's by interactive tty session only, that could cause problems with non-interactive scripts. I'll let someone closer to the code answer that question. On Thu, Dec 15, 2016 at 11:25 AM, jungle Boogiewrote: > On 15 December 2016 at 09:21, Ax0n wrote: > > In -CURRENT, doas.conf has a "persist" keyword that will only prompt once > > per session. This isn't available in OpenBSD 6.0, but should work when > 6.1 > > is released. Here's a fairly minimal rule that would allow wheel group > users > > to do whatever they want with doas after authenticating once: > > DOH! I forgot to mention that I'm running a snapshot from this morning. > > OpenBSD 6.0-current (GENERIC.MP) #38: Thu Dec 15 08:24:17 MST 2016 > bu...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > by doas.conf: > permit persist :wheel > permit persist keepenv jungle as root > > With this, should I be re-prompted for the password? > > > -- > --- > inum: 883510009027723 > sip: jungleboo...@sip2sip.info
Re: doas prompting for password in script
On 15 December 2016 at 09:21, Ax0nwrote: > In -CURRENT, doas.conf has a "persist" keyword that will only prompt once > per session. This isn't available in OpenBSD 6.0, but should work when 6.1 > is released. Here's a fairly minimal rule that would allow wheel group users > to do whatever they want with doas after authenticating once: DOH! I forgot to mention that I'm running a snapshot from this morning. OpenBSD 6.0-current (GENERIC.MP) #38: Thu Dec 15 08:24:17 MST 2016 bu...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP by doas.conf: permit persist :wheel permit persist keepenv jungle as root With this, should I be re-prompted for the password? -- --- inum: 883510009027723 sip: jungleboo...@sip2sip.info
Re: doas prompting for password in script
For now, you may want to use the "nopass" keyword and set up highly-restrictive rules. The last matching rule determines the action taken, so you can have more general rules up top, and more specific ones that don't require a password toward the end. For example, my wireless network manager script relies on the ability to kill off the DHCP client and do some other things with ifconfig. permit nopass :wheel as root cmd /usr/bin/pkill args dhclient permit nopass :wheel as root cmd /sbin/ifconfig permit nopass :wheel as root cmd /sbin/dhclient In -CURRENT, doas.conf has a "persist" keyword that will only prompt once per session. This isn't available in OpenBSD 6.0, but should work when 6.1 is released. Here's a fairly minimal rule that would allow wheel group users to do whatever they want with doas after authenticating once: permit persist :wheel On Thu, Dec 15, 2016 at 10:56 AM, jungle Boogiewrote: > Hi All, > > Should I be prompted for a password during this scenario? > > $ doas date > doas (jun...@openbsd.my.domain) password: > Thu Dec 15 08:55:39 PST 2016 > $ ./date.sh > doas (jun...@openbsd.my.domain) password: > Thu Dec 15 08:55:46 PST 2016 > > As you see, only seconds past from both commands and yet, I'm prompted > for my password again. > > -- > --- > inum: 883510009027723 > sip: jungleboo...@sip2sip.info
doas prompting for password in script
Hi All, Should I be prompted for a password during this scenario? $ doas date doas (jun...@openbsd.my.domain) password: Thu Dec 15 08:55:39 PST 2016 $ ./date.sh doas (jun...@openbsd.my.domain) password: Thu Dec 15 08:55:46 PST 2016 As you see, only seconds past from both commands and yet, I'm prompted for my password again. -- --- inum: 883510009027723 sip: jungleboo...@sip2sip.info