which is better for sudo: ldap accounts or sudo auto via ssh keys?
kudzu at tenebras.com
Thu Dec 26 23:16:06 UTC 2013
On Thu, Dec 26, 2013 at 2:03 PM, Matthew Seaman <
m.seaman at infracaninophile.co.uk> wrote:
> On 26/12/2013 21:02, Aleksandr Miroslav wrote:
> > I have a bunch of servers that I'm trying to tighten down.
> > From a security standpoint, which would be more secure:
> > - having users login from an ldap account and use that same password
> > to authorize themselves to sudo
> > - or do away with passwords entirely and have them login with ssh keys
> > only (easy to do) and then authenticate to sudo with ssh keys (from a
> > search, apparently this is doable). I would also like to enforce that
> > the ssh-keys have passwords on them
> ssh keys are the way to go here. In fact, I'd recommend disabling use
> of passwords with ssh entirely, and relying on key based auth.
The problem with pubkey auth is that it conflates authentication with
authorization - you can avoid this if you centrally manage where sshd looks
for users' pubkeys, but it's still imperfect.
My $0.02 - use multi-factor auth, key-based + TOTP. You can easily
(starting with 9.2) integrate Google Authenticator with pubkey auth for
SSH. You users then see something like this:
msierchio at lada:~ > ssh nardo
Authenticated with partial success.
My /etc/pam.d/sshd contains
auth required /usr/local/lib/pam_google_authenticator.so
More information about the freebsd-questions