Secure usage of sudo without passwords
seems to be the Out-of-the-Box configuration on most Linux systems. Whilst this could be useful when installing, this should be removed shortly after. Combined with SSH password login (in stead of key-based) this quickly is a very short path to root: effectively, username + password is root.
Let's not go into the password hygiene topic here.
Let's see if we can make this safe and simple.
Many systems are configured with
NOPASSWD in sudo. This is poor security,
all an attacker needs is the context of the user. You'd do well to remove
NOPASSWD: strings from your sudo configuration (use
sudo visudo and
Make sure you set sufficiently random passwords for all users, or use the ssh-agent method described below. You're already using keys to authenticate in SSH, right?!?
By default sudo will cache the password for 5 minutes. Any sudo command
resets the timer to 5 minutes. To adjust, configure via
Get rid of password questions
You can use your ssh-agent / pageant on your client instead of using a password for using sudo.
Ubuntu seems to fail on DSA keys (prefix
Fix this by adding to
Make sure that permissions on all
~/.ssh directories and
files are appropriate, this setup will fail if the permissions are too wide.
Install the PAM ssh agent module
pkg install pam_ssh_agent_auth
apt-get install libpam-ssh-agent-auth
yum install pam_ssh_agent_auth
Configure PAM for sudo
To enable the module, add the following line to
/etc/pam.d/sudo on Linux) early in the chain, before the first
auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys
You could use keys other than the one used for the connection
NOTE: not all systems require this...
Make sure that the
SSH_AUTH_SOCK is not clobbered when sudo is run, and
disable password caching. Use
sudo visudo and add after the other
"Defaults" lines at the top of the file
Defaults env_keep += SSH_AUTH_SOCK Defaults timestamp_timeout=0
Enable Agent Forwarding
ForwardAgent yes in
PuTTY: Configuration in "Connection -> SSH -> Auth" enable "Allow Agent Forwarding"
Use the ssh authentication agent
ssh-agent and add your key with
PuTTY: Start "Pageant" and load your key
Reuse existing ssh-agent session
If you're like me, you'll probably be running multiple/many shells. You
can reuse an already running
ssh-agent in terminals your start.
Add (something like) this to your
1 2 3 4 5 6 7 8 9 10 11