which is better for sudo: ldap accounts or sudo auto via ssh keys?

Michael Sierchio kudzu at tenebras.com
Thu Dec 26 23:16:06 UTC 2013

On Thu, Dec 26, 2013 at 2:03 PM, Matthew Seaman <
m.seaman at infracaninophile.co.uk> wrote:

> On 26/12/2013 21:02, Aleksandr Miroslav wrote:
> > I have a bunch of servers that I'm trying to tighten down.
> >
> > From a security standpoint, which would be more secure:
> >
> > - having users login from an ldap account and use that same password
> > to authorize themselves to sudo
> >
> >
> > - or do away with passwords entirely and have them login with ssh keys
> > only (easy to do) and then authenticate to sudo with ssh keys (from a
> > search, apparently this is doable). I would also like to enforce that
> > the ssh-keys have passwords on them
> ssh keys are the way to go here.  In fact, I'd recommend disabling use
> of passwords with ssh entirely, and relying on key based auth.
The problem with pubkey auth is that it conflates authentication with
authorization - you can avoid this if you centrally manage where sshd looks
for users' pubkeys, but it's still imperfect.

My $0.02 - use multi-factor auth, key-based + TOTP.  You can easily
(starting with 9.2) integrate Google Authenticator with pubkey auth for
SSH.  You users then see something like this:

msierchio at lada:~ > ssh nardo
Authenticated with partial success.
Verification code:

My /etc/pam.d/sshd contains

auth    required        /usr/local/lib/pam_google_authenticator.so

- M

More information about the freebsd-questions mailing list