sudo alternatives; for the minimalists

Solène Rapenne solene at
Mon Mar 13 17:45:49 UTC 2017

Le 2017-03-13 18:34, Doug McIntyre a écrit :
> On Mon, Mar 13, 2017 at 06:21:15PM +0100, Harry Schmalzbauer wrote:
>> Bezüglich Phil Eaton's Nachricht vom 13.03.2017 16:48 (localtime):
>> > How do you feel about the security/doas port from OpenBSD?
>> Thanks, most likely worth a look. But it has no credentials caching,
>> does it?
>> That's my most wanted feature, otherwise I'm still fine with su (no
>> classic user privileging needed, only for admin tasks)
> I think you are collapsing two features into one with this requirement,
> and I'm not sure what you are expecting.
> One way to do what I think you are looking for is you can use SSH
> public-key auth to PAM authenticate in as root priviledges into a 
> server.
> eg. see this discussion thread.
> Another way keychain/SSH is used, is as an ssh-agent (probably likely
> of what you are looking for)
> I was trying to find a decent web page (ie. more than a mention
> of how to run ssh-agent), but ran across a wrapper that did a bit
> more with it for you.
> with links to a better description of ssh-agent and using it, even if
> they are a bit dated (ie. ignore the part about DSA keys altogether).
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at"

I was about to answer the same thing. Set PermitRootLogin to allow 
authentication with keys, and use ssh-agent as your regular user to 
cache the private key password.
And then, create an alias with alias sudo="ssh root at localhost" and you 
are done.

So :

as user :
- ssh-keygen # create your private key with password

as root :
- modifiy /etc/ssh/sshd_config and set "PermitRootLogin 
- /etc/rc.d/sshd restart
- mkdir -p /root/.ssh/
- cat /home/user/.ssh/ >> /root/.ssh/authorized_keys

More information about the freebsd-questions mailing list