I'd start with using sudo with NOPASSWD set. If that wasn't secure enough
then its probably better to script up how you're doing ssh to multiple
machines and use Expect to feed the passwords to sudo.
On Wed, 23 May 2007, Hari Sekhon wrote:
Well, when using ssh authentication I tend to ssh straight into root. I have
my sshd daemons configured to only allow root login via keys, no passwords
allowed, so it's pretty secure.
This amounts to the same thing as you are talking about if giving full root
access (I am the admin after all) but in case you were trying to use sudo to
grant elevated privs to just a few commands, then I would suggest looking at
the pam for sudo and seeing if there is a module to allow key authentication.
The problem is that your key is usually stored on the machine you are
connecting from, not on the remote machine itself (after all you don't want
your keys lying around, eh?). This poses a problem in how sudo on the remote
machine could use the private key on the local machine?
Not sure if anyone has tackled this, but the pams are where I'd start.
Perhaps there is some module for pam somewhere that can help here, although
I'm not sure what it is. Google is your friend I guess.
-h
Hari Sekhon
Eric S. Johansson wrote:
there is a number of ways I could be missing something obvious so I
apologize in advance.
My idea is should be possible to grant sudo access with your ssh
credentials. the logic is that once the server has granted access to a
client based on its ssh keys, it should be possible to use the same
authentication to grant sudo privileges. After all, if a key pair is good
enough to get you into one machine, why isn't it good enough to grant you
the full Monty?
Assuming that it is, how could a local program determine that the process
it is running in has done so via ssh key authentication. Would it query
the agent directly? Would it be able to use agent forwarding? Or is this
a really bad idea that I should just give up on?
---eric
