sudo without password when logged in with SSH private keys












16















Is it possible to make sudo command to support SSH private keys, so that when the user logins using a private key then he/she could sudo without typing a password.



This would allow storing the UNIX sysadmin passwords in an encrypted cold storage and never need to access them, assuming the users use secure private SSH keys always to login on the server.










share|improve this question

























  • askubuntu.com/a/135838 If you put those users into a group, you sure can!

    – Rob
    Oct 24 '12 at 21:07











  • try sudo visudo and change your password to NOPASSWD: ALL see if that works

    – pneumatics
    Oct 24 '12 at 21:08






  • 3





    @AlanTuring That would also work for users in that group who identified via a password.

    – Xyon
    Oct 24 '12 at 21:27











  • @AlanTuring That would effectively decrease the security of the server - I want only certain users, not all, sudo

    – Mikko Ohtamaa
    Oct 24 '12 at 22:14













  • It's possible to give priviliges to specific users. See my answer.

    – Isaac Rabinovitch
    Oct 26 '12 at 8:21
















16















Is it possible to make sudo command to support SSH private keys, so that when the user logins using a private key then he/she could sudo without typing a password.



This would allow storing the UNIX sysadmin passwords in an encrypted cold storage and never need to access them, assuming the users use secure private SSH keys always to login on the server.










share|improve this question

























  • askubuntu.com/a/135838 If you put those users into a group, you sure can!

    – Rob
    Oct 24 '12 at 21:07











  • try sudo visudo and change your password to NOPASSWD: ALL see if that works

    – pneumatics
    Oct 24 '12 at 21:08






  • 3





    @AlanTuring That would also work for users in that group who identified via a password.

    – Xyon
    Oct 24 '12 at 21:27











  • @AlanTuring That would effectively decrease the security of the server - I want only certain users, not all, sudo

    – Mikko Ohtamaa
    Oct 24 '12 at 22:14













  • It's possible to give priviliges to specific users. See my answer.

    – Isaac Rabinovitch
    Oct 26 '12 at 8:21














16












16








16


3






Is it possible to make sudo command to support SSH private keys, so that when the user logins using a private key then he/she could sudo without typing a password.



This would allow storing the UNIX sysadmin passwords in an encrypted cold storage and never need to access them, assuming the users use secure private SSH keys always to login on the server.










share|improve this question
















Is it possible to make sudo command to support SSH private keys, so that when the user logins using a private key then he/she could sudo without typing a password.



This would allow storing the UNIX sysadmin passwords in an encrypted cold storage and never need to access them, assuming the users use secure private SSH keys always to login on the server.







linux ssh sudo






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Oct 24 '12 at 22:16







Mikko Ohtamaa

















asked Oct 24 '12 at 20:54









Mikko OhtamaaMikko Ohtamaa

94031432




94031432













  • askubuntu.com/a/135838 If you put those users into a group, you sure can!

    – Rob
    Oct 24 '12 at 21:07











  • try sudo visudo and change your password to NOPASSWD: ALL see if that works

    – pneumatics
    Oct 24 '12 at 21:08






  • 3





    @AlanTuring That would also work for users in that group who identified via a password.

    – Xyon
    Oct 24 '12 at 21:27











  • @AlanTuring That would effectively decrease the security of the server - I want only certain users, not all, sudo

    – Mikko Ohtamaa
    Oct 24 '12 at 22:14













  • It's possible to give priviliges to specific users. See my answer.

    – Isaac Rabinovitch
    Oct 26 '12 at 8:21



















  • askubuntu.com/a/135838 If you put those users into a group, you sure can!

    – Rob
    Oct 24 '12 at 21:07











  • try sudo visudo and change your password to NOPASSWD: ALL see if that works

    – pneumatics
    Oct 24 '12 at 21:08






  • 3





    @AlanTuring That would also work for users in that group who identified via a password.

    – Xyon
    Oct 24 '12 at 21:27











  • @AlanTuring That would effectively decrease the security of the server - I want only certain users, not all, sudo

    – Mikko Ohtamaa
    Oct 24 '12 at 22:14













  • It's possible to give priviliges to specific users. See my answer.

    – Isaac Rabinovitch
    Oct 26 '12 at 8:21

















askubuntu.com/a/135838 If you put those users into a group, you sure can!

– Rob
Oct 24 '12 at 21:07





askubuntu.com/a/135838 If you put those users into a group, you sure can!

– Rob
Oct 24 '12 at 21:07













try sudo visudo and change your password to NOPASSWD: ALL see if that works

– pneumatics
Oct 24 '12 at 21:08





try sudo visudo and change your password to NOPASSWD: ALL see if that works

– pneumatics
Oct 24 '12 at 21:08




3




3





@AlanTuring That would also work for users in that group who identified via a password.

– Xyon
Oct 24 '12 at 21:27





@AlanTuring That would also work for users in that group who identified via a password.

– Xyon
Oct 24 '12 at 21:27













@AlanTuring That would effectively decrease the security of the server - I want only certain users, not all, sudo

– Mikko Ohtamaa
Oct 24 '12 at 22:14







@AlanTuring That would effectively decrease the security of the server - I want only certain users, not all, sudo

– Mikko Ohtamaa
Oct 24 '12 at 22:14















It's possible to give priviliges to specific users. See my answer.

– Isaac Rabinovitch
Oct 26 '12 at 8:21





It's possible to give priviliges to specific users. See my answer.

– Isaac Rabinovitch
Oct 26 '12 at 8:21










4 Answers
4






active

oldest

votes


















1














The option to do so has existed since (at least) April 2014.



You will need to install a package called pam_ssh_agent_auth (available for Centos 7 out of the box, YMMV), then configure /etc/pam.d/sudo to accept it as an authorization method. Finally, you may need to add SSH_AUTH_SOCK to the list of environment variables that persist during sudo.



The Gentoo wiki has details for these steps.






share|improve this answer



















  • 1





    Lovely, thank you Liam. Too bad I have not been into sysadmin for many years!

    – Mikko Ohtamaa
    Dec 27 '18 at 14:16



















3














This is not possible without some serious code changes to sudo and sshd. Sudo doesn't know about login methods, and ssh doesn't publish to other programs anything that would indicate whether public key, password, or some other mechanism was used for login.



As someone else said, you can use the NOPASSWD option in sudoers - this would apply to specified users always, though, not only when they use ssh with private keys.



If you really want, there may be tricks you can do with a suid program that checks the sshd log and locks/edits the sudoers file to let that user do a no-password sudo, and a periodic task to revoke this permission.



All that said, I think this is a bad idea. Requiring a password for privileged commands has a couple of nice benefits that private key SSH doesn't. Notably, it lets you have timeouts for the auth (password must be re-entered, not true for ssh sessions), it lets you have password minimums and rotation (unlike ssh keys, which have a passphrase outside the server's control).






share|improve this answer



















  • 8





    "It can't be done" is not an answer, especially when it can be done.

    – Isaac Rabinovitch
    Oct 26 '12 at 22:58











  • Changing the answer to the correct one containing new informatino.

    – Mikko Ohtamaa
    Dec 27 '18 at 14:15



















1














A couple of answers Point to sudo without a seperate user Password. You should be Aware that this will decrease your security.



For a user that already authenticated strongly with a certificate this might not be an issue because he is in posession of the certificate that theoretically could make him root.



However if you think about vulnerabilites that will provide an attacker with a limited user shell and this user has NOPASSWD set in the sudoers file the attacker is root without having any credentials to the System at all.



If sudo requires a password from the user the attacker needs time and luck to escalate his privileges to root.






share|improve this answer































    0














    No stored passwords or keys required. You can get the result you want by granting the user no-password acccess in /etc/sudoers. Just add the following line:



    user ALL=(ALL)       NOPASSWD: ALL


    Be sure to use visudo to edit sudoers. You might want to give the sudoers man page a quick look so you understand what you're doing.






    share|improve this answer



















    • 2





      This disables the password requirement for all users and not just those that have logged in with SSH keys, which is what the question is asking about.

      – Burhan Ali
      Oct 7 '14 at 15:40











    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f492405%2fsudo-without-password-when-logged-in-with-ssh-private-keys%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    4 Answers
    4






    active

    oldest

    votes








    4 Answers
    4






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    The option to do so has existed since (at least) April 2014.



    You will need to install a package called pam_ssh_agent_auth (available for Centos 7 out of the box, YMMV), then configure /etc/pam.d/sudo to accept it as an authorization method. Finally, you may need to add SSH_AUTH_SOCK to the list of environment variables that persist during sudo.



    The Gentoo wiki has details for these steps.






    share|improve this answer



















    • 1





      Lovely, thank you Liam. Too bad I have not been into sysadmin for many years!

      – Mikko Ohtamaa
      Dec 27 '18 at 14:16
















    1














    The option to do so has existed since (at least) April 2014.



    You will need to install a package called pam_ssh_agent_auth (available for Centos 7 out of the box, YMMV), then configure /etc/pam.d/sudo to accept it as an authorization method. Finally, you may need to add SSH_AUTH_SOCK to the list of environment variables that persist during sudo.



    The Gentoo wiki has details for these steps.






    share|improve this answer



















    • 1





      Lovely, thank you Liam. Too bad I have not been into sysadmin for many years!

      – Mikko Ohtamaa
      Dec 27 '18 at 14:16














    1












    1








    1







    The option to do so has existed since (at least) April 2014.



    You will need to install a package called pam_ssh_agent_auth (available for Centos 7 out of the box, YMMV), then configure /etc/pam.d/sudo to accept it as an authorization method. Finally, you may need to add SSH_AUTH_SOCK to the list of environment variables that persist during sudo.



    The Gentoo wiki has details for these steps.






    share|improve this answer













    The option to do so has existed since (at least) April 2014.



    You will need to install a package called pam_ssh_agent_auth (available for Centos 7 out of the box, YMMV), then configure /etc/pam.d/sudo to accept it as an authorization method. Finally, you may need to add SSH_AUTH_SOCK to the list of environment variables that persist during sudo.



    The Gentoo wiki has details for these steps.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Dec 27 '18 at 4:53









    Liam DawsonLiam Dawson

    21716




    21716








    • 1





      Lovely, thank you Liam. Too bad I have not been into sysadmin for many years!

      – Mikko Ohtamaa
      Dec 27 '18 at 14:16














    • 1





      Lovely, thank you Liam. Too bad I have not been into sysadmin for many years!

      – Mikko Ohtamaa
      Dec 27 '18 at 14:16








    1




    1





    Lovely, thank you Liam. Too bad I have not been into sysadmin for many years!

    – Mikko Ohtamaa
    Dec 27 '18 at 14:16





    Lovely, thank you Liam. Too bad I have not been into sysadmin for many years!

    – Mikko Ohtamaa
    Dec 27 '18 at 14:16













    3














    This is not possible without some serious code changes to sudo and sshd. Sudo doesn't know about login methods, and ssh doesn't publish to other programs anything that would indicate whether public key, password, or some other mechanism was used for login.



    As someone else said, you can use the NOPASSWD option in sudoers - this would apply to specified users always, though, not only when they use ssh with private keys.



    If you really want, there may be tricks you can do with a suid program that checks the sshd log and locks/edits the sudoers file to let that user do a no-password sudo, and a periodic task to revoke this permission.



    All that said, I think this is a bad idea. Requiring a password for privileged commands has a couple of nice benefits that private key SSH doesn't. Notably, it lets you have timeouts for the auth (password must be re-entered, not true for ssh sessions), it lets you have password minimums and rotation (unlike ssh keys, which have a passphrase outside the server's control).






    share|improve this answer



















    • 8





      "It can't be done" is not an answer, especially when it can be done.

      – Isaac Rabinovitch
      Oct 26 '12 at 22:58











    • Changing the answer to the correct one containing new informatino.

      – Mikko Ohtamaa
      Dec 27 '18 at 14:15
















    3














    This is not possible without some serious code changes to sudo and sshd. Sudo doesn't know about login methods, and ssh doesn't publish to other programs anything that would indicate whether public key, password, or some other mechanism was used for login.



    As someone else said, you can use the NOPASSWD option in sudoers - this would apply to specified users always, though, not only when they use ssh with private keys.



    If you really want, there may be tricks you can do with a suid program that checks the sshd log and locks/edits the sudoers file to let that user do a no-password sudo, and a periodic task to revoke this permission.



    All that said, I think this is a bad idea. Requiring a password for privileged commands has a couple of nice benefits that private key SSH doesn't. Notably, it lets you have timeouts for the auth (password must be re-entered, not true for ssh sessions), it lets you have password minimums and rotation (unlike ssh keys, which have a passphrase outside the server's control).






    share|improve this answer



















    • 8





      "It can't be done" is not an answer, especially when it can be done.

      – Isaac Rabinovitch
      Oct 26 '12 at 22:58











    • Changing the answer to the correct one containing new informatino.

      – Mikko Ohtamaa
      Dec 27 '18 at 14:15














    3












    3








    3







    This is not possible without some serious code changes to sudo and sshd. Sudo doesn't know about login methods, and ssh doesn't publish to other programs anything that would indicate whether public key, password, or some other mechanism was used for login.



    As someone else said, you can use the NOPASSWD option in sudoers - this would apply to specified users always, though, not only when they use ssh with private keys.



    If you really want, there may be tricks you can do with a suid program that checks the sshd log and locks/edits the sudoers file to let that user do a no-password sudo, and a periodic task to revoke this permission.



    All that said, I think this is a bad idea. Requiring a password for privileged commands has a couple of nice benefits that private key SSH doesn't. Notably, it lets you have timeouts for the auth (password must be re-entered, not true for ssh sessions), it lets you have password minimums and rotation (unlike ssh keys, which have a passphrase outside the server's control).






    share|improve this answer













    This is not possible without some serious code changes to sudo and sshd. Sudo doesn't know about login methods, and ssh doesn't publish to other programs anything that would indicate whether public key, password, or some other mechanism was used for login.



    As someone else said, you can use the NOPASSWD option in sudoers - this would apply to specified users always, though, not only when they use ssh with private keys.



    If you really want, there may be tricks you can do with a suid program that checks the sshd log and locks/edits the sudoers file to let that user do a no-password sudo, and a periodic task to revoke this permission.



    All that said, I think this is a bad idea. Requiring a password for privileged commands has a couple of nice benefits that private key SSH doesn't. Notably, it lets you have timeouts for the auth (password must be re-entered, not true for ssh sessions), it lets you have password minimums and rotation (unlike ssh keys, which have a passphrase outside the server's control).







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Oct 24 '12 at 22:29









    DagonDagon

    552




    552








    • 8





      "It can't be done" is not an answer, especially when it can be done.

      – Isaac Rabinovitch
      Oct 26 '12 at 22:58











    • Changing the answer to the correct one containing new informatino.

      – Mikko Ohtamaa
      Dec 27 '18 at 14:15














    • 8





      "It can't be done" is not an answer, especially when it can be done.

      – Isaac Rabinovitch
      Oct 26 '12 at 22:58











    • Changing the answer to the correct one containing new informatino.

      – Mikko Ohtamaa
      Dec 27 '18 at 14:15








    8




    8





    "It can't be done" is not an answer, especially when it can be done.

    – Isaac Rabinovitch
    Oct 26 '12 at 22:58





    "It can't be done" is not an answer, especially when it can be done.

    – Isaac Rabinovitch
    Oct 26 '12 at 22:58













    Changing the answer to the correct one containing new informatino.

    – Mikko Ohtamaa
    Dec 27 '18 at 14:15





    Changing the answer to the correct one containing new informatino.

    – Mikko Ohtamaa
    Dec 27 '18 at 14:15











    1














    A couple of answers Point to sudo without a seperate user Password. You should be Aware that this will decrease your security.



    For a user that already authenticated strongly with a certificate this might not be an issue because he is in posession of the certificate that theoretically could make him root.



    However if you think about vulnerabilites that will provide an attacker with a limited user shell and this user has NOPASSWD set in the sudoers file the attacker is root without having any credentials to the System at all.



    If sudo requires a password from the user the attacker needs time and luck to escalate his privileges to root.






    share|improve this answer




























      1














      A couple of answers Point to sudo without a seperate user Password. You should be Aware that this will decrease your security.



      For a user that already authenticated strongly with a certificate this might not be an issue because he is in posession of the certificate that theoretically could make him root.



      However if you think about vulnerabilites that will provide an attacker with a limited user shell and this user has NOPASSWD set in the sudoers file the attacker is root without having any credentials to the System at all.



      If sudo requires a password from the user the attacker needs time and luck to escalate his privileges to root.






      share|improve this answer


























        1












        1








        1







        A couple of answers Point to sudo without a seperate user Password. You should be Aware that this will decrease your security.



        For a user that already authenticated strongly with a certificate this might not be an issue because he is in posession of the certificate that theoretically could make him root.



        However if you think about vulnerabilites that will provide an attacker with a limited user shell and this user has NOPASSWD set in the sudoers file the attacker is root without having any credentials to the System at all.



        If sudo requires a password from the user the attacker needs time and luck to escalate his privileges to root.






        share|improve this answer













        A couple of answers Point to sudo without a seperate user Password. You should be Aware that this will decrease your security.



        For a user that already authenticated strongly with a certificate this might not be an issue because he is in posession of the certificate that theoretically could make him root.



        However if you think about vulnerabilites that will provide an attacker with a limited user shell and this user has NOPASSWD set in the sudoers file the attacker is root without having any credentials to the System at all.



        If sudo requires a password from the user the attacker needs time and luck to escalate his privileges to root.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Sep 23 '14 at 14:58









        Sebastian BrabetzSebastian Brabetz

        1311




        1311























            0














            No stored passwords or keys required. You can get the result you want by granting the user no-password acccess in /etc/sudoers. Just add the following line:



            user ALL=(ALL)       NOPASSWD: ALL


            Be sure to use visudo to edit sudoers. You might want to give the sudoers man page a quick look so you understand what you're doing.






            share|improve this answer



















            • 2





              This disables the password requirement for all users and not just those that have logged in with SSH keys, which is what the question is asking about.

              – Burhan Ali
              Oct 7 '14 at 15:40
















            0














            No stored passwords or keys required. You can get the result you want by granting the user no-password acccess in /etc/sudoers. Just add the following line:



            user ALL=(ALL)       NOPASSWD: ALL


            Be sure to use visudo to edit sudoers. You might want to give the sudoers man page a quick look so you understand what you're doing.






            share|improve this answer



















            • 2





              This disables the password requirement for all users and not just those that have logged in with SSH keys, which is what the question is asking about.

              – Burhan Ali
              Oct 7 '14 at 15:40














            0












            0








            0







            No stored passwords or keys required. You can get the result you want by granting the user no-password acccess in /etc/sudoers. Just add the following line:



            user ALL=(ALL)       NOPASSWD: ALL


            Be sure to use visudo to edit sudoers. You might want to give the sudoers man page a quick look so you understand what you're doing.






            share|improve this answer













            No stored passwords or keys required. You can get the result you want by granting the user no-password acccess in /etc/sudoers. Just add the following line:



            user ALL=(ALL)       NOPASSWD: ALL


            Be sure to use visudo to edit sudoers. You might want to give the sudoers man page a quick look so you understand what you're doing.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Oct 25 '12 at 2:00









            Isaac RabinovitchIsaac Rabinovitch

            2,5961728




            2,5961728








            • 2





              This disables the password requirement for all users and not just those that have logged in with SSH keys, which is what the question is asking about.

              – Burhan Ali
              Oct 7 '14 at 15:40














            • 2





              This disables the password requirement for all users and not just those that have logged in with SSH keys, which is what the question is asking about.

              – Burhan Ali
              Oct 7 '14 at 15:40








            2




            2





            This disables the password requirement for all users and not just those that have logged in with SSH keys, which is what the question is asking about.

            – Burhan Ali
            Oct 7 '14 at 15:40





            This disables the password requirement for all users and not just those that have logged in with SSH keys, which is what the question is asking about.

            – Burhan Ali
            Oct 7 '14 at 15:40


















            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f492405%2fsudo-without-password-when-logged-in-with-ssh-private-keys%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

            Alcedinidae

            Origin of the phrase “under your belt”?