I always hated sudo. It’s like trying to fix a tyre with a chewing gum, close eyes and hope it works.
Just a quick and dirty, straightforward explanation why it is bad for your systems’ security.
Let’s say you have a password-less ssh keypair attached to a remote user allowed to run anything as root through prefixing commands with “sudo”. *cough* this is the default setup for any Amazon EC2 instance running Amazon Linux AMIs (and also Ubuntu AMIs I guess, and perhaps even Fedora ones?)
What happens if your keypair slips out, gets leaked somehow or somebody steals it from your hard drive? The result is simple, the attacker automatically gains root access anywhere you have the above setup.
That’s quite dangerous, especially if you’re paranoid. Funny enough, many distros are forcing users to use sudo against their will, in a password-less setup.
Of course, this also happens in the unlikely (ahaha) case where your user account gets compromised. Having two levels of passwords is always better than one.
sudo FTL!
Sorry, do not agree.
Nothing can prevent silly users doing silly things.
First step is to login to the target system. If the keys are not password protected, it does not mean that keys are bad. Second is to execute sudo with a command and you need a password for executing the command.
So, you have two different authorization methods.
Quote: “Having two levels of passwords is always better than one.” True for ssh with sudo.
Yep, like Dirk said. That’s not true. Even when you loose your keys, you still have to enter your password when you enter a sudo command. Loosing “root” keys is much more worse. Imaging you create a password-less key for root on a server, only in this situation the attacker has full access to your machine.
This is true for Sabayon sudo implementation, and Gentoo as well. But for example, Amazon Linux gives you passwordless sudo by default.
In this case “passwordless sudo” is the problem and not sudo per se.
I rather think that sudo itself allowing this is the real problem.
Misconfigurations and human errors are very likely.
Yes and no. ssh allows password-less keys as well …
It should not be default.
“I rather think that sudo itself allowing this is the real problem.
Misconfigurations and human errors are very likely.”
I think you misjudged users that can achieve this.
I would also set timestamp_timeout = 0 which will disable password caching and force users to re-enter password on every sudo run
Your argument seems not to be against sudo, per se, but against not having a separate password for root, coupled with unlimited sudo privileges. sudo can be limited in extent, depending on the privileges found in the sudoers file. Anytime you have root access without requiring a password, whether it is the account password or a separate root password, you are leaving yourself open to problems in the name of expedience.
Pingback: Links 16/9/2011: Boeing Goes With Android, Oracle Splits MySQL | Techrights
Can’t say I agree with this article. I’m not as clued up as most people here. But it seems to me no matter what the security system is. If someone else gets hold of the password or keys it’s not good. Doesn’t matter if it’s sudo or root.
The problem here seems to be the same problem home users face with home wifi routers. Poor default password setups. Meaning not having any. And specifically system admins not changing that poor default setup to something more secure. Sudo can be configured to require passwords and time out. Privilages can also be setup. So not all users on the sudoers list have the same rights.
It would seem the author is trying to shape the facts to suit the argument.