which is better for sudo: ldap accounts or sudo auto via ssh keys?

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Dec 26 22:03:53 UTC 2013

On 26/12/2013 21:02, Aleksandr Miroslav wrote:
> I have a bunch of servers that I'm trying to tighten down.
> From a security standpoint, which would be more secure:
> - having users login from an ldap account and use that same password
> to authorize themselves to sudo
> - or do away with passwords entirely and have them login with ssh keys
> only (easy to do) and then authenticate to sudo with ssh keys (from a
> search, apparently this is doable). I would also like to enforce that
> the ssh-keys have passwords on them

ssh keys are the way to go here.  In fact, I'd recommend disabling use
of passwords with ssh entirely, and relying on key based auth.

The problem with passwords is that you've either got to store them in
your authentication database in plain, or you've got to transmit them
across the network in plain (although protected by TLS).  This means
that passwords tend to escape, and that blows your security wide open.
Also there's very few people that can choose or remember appropriately
strong passwords worth a damn[*].

SSH keys simply don't suffer from this weakness, and it's perfectly OK
to make the public keys readily available.  If you can enforce your
password policy (which you'll have to do by education and consensus, as
there's nothing in SSH itself to require use of passphrases on keys),
then anyone trying to break in by stealing SSH keys will also need to
obtain the matching passphrases, so that's reasonable extra security.

From a day-to-day usability perspective, using gpg-agent as the local
keystore for SSH keys seem the best procedure: unlike ssh-agent, it will
require you to re-auth after a certain period of inactivity, and it
keeps the keys encrypted in RAM during operation.

LDAP pubkey I haven't played with in a while, but last time I did, it
worked well.  security/pam_ssh_agent_auth works like a charm, although I
have generally been storing the authorized keys in a text file on each
server.  Not sure if you can hook it up to LDAP pubkey,
but well worth investigating.



[*] The XKCD method not withstanding.

Dr Matthew J Seaman MA, D.Phil.

PGP: http://www.infracaninophile.co.uk/pgpkey
JID: matthew at infracaninophile.co.uk

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1036 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20131226/784e9465/attachment.sig>

More information about the freebsd-questions mailing list