1. Intro

SECURELY use sudo and su without annoying password prompts

  1. Intro
  2. SSH key creation and installation review
  3. PAM module installation
  4. Configuring sudo to allow authentication wtih SSH keys
  5. Configuring su to allow authentication with SSH keys
  6. Books
  7. Outro

2. SSH

    Reminder on how to create, install, and use SSH keys.

  • SSH key creation:

    #[clientUser@clientSystem:~]% KEY_BITS=2048
    #[clientUser@clientSystem:~]% KEY_COMMENT="TEST key"
    #[clientUser@clientSystem:~]% KEY_FILE=~/.ssh/test_key
    #[clientUser@clientSystem:~]% KEY_TYPE=rsa
    #[clientUser@clientSystem:~]% ssh-keygen -b ${KEY_BITS} -C "${KEY_COMMENT}" -f ${KEY_FILE} -t ${KEY_TYPE}
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/clientUser/.ssh/test_key
Your public key has been saved in /home/clientUser/.ssh/test_key.pub
The key fingerprint is:
SHA256:4R0t1RyzJRcImZvHVniDtsFQBpsy19uB8MiF01qQ9ik TEST key
The key's randomart image is:
+---[RSA 2048]----+
|           *#*Bo+|
|          .XXX+X |
|        .o+*@+B..|
|       . o+E Bo .|
|        S . +. . |
|                 |
|                 |
|                 |
|                 |
+----[SHA256]-----+

  • SSH key installation:

    #[clientUser@clientSystem:~]% TARGET_USER=targetUser
    #[clientUser@clientSystem:~]% TARGET_SYSTEM=targetSystem
    #[clientUser@clientSystem:~]% ssh-copy-id -i ${KEY_FILE} ${TARGET_USER}@${TARGET_SYSTEM}
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/clientUser/.ssh/test_key.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'targetUser@targetSystem'"
and check to make sure that only the key(s) you wanted were added.

  • SSH key usage:

    #[clientUser@clientSystem:~]% ssh -i ${KEY_FILE} ${TARGET_USER}@${TARGET_SYSTEM}

3. PAM

The Plugable Authentication Module (PAM) is a framework that allows you to easily add new authentication methods to a system without needing to modify programs. The pam-ssh-agent-auth module adds the ability to authenticate using an SSH key pair as a new method within the existing framework.

  • PAM module installation

    #[clientUser@targetSystem:~]% sudo apt-get install pam-ssh-agent-auth
Reading package lists... Done
Building dependency tree
Reading state information... Done
pam-ssh-agent-auth is already the newest version (0.10.3-0ubuntu0ppa1).
0 upgraded, 0 newly installed, 0 to remove and 18 not upgraded.
  • Skim the Description and CONFIGURATION sections of the pam_ssh_agent_auth(8) manual page. It's not long (12 lines on my terminal) and good to know.
  • The pam-ssh-agent-auth depends on communicating with an SSH authentication agent. The easiest way to access this is by forwarding the ssh-agent running on the client system with `ssh -A` or comparable configuration.

4. sudo

Configure sudo to utilize the new PAM module.

  • Back up the file(s) you are modifying, your home directory is a good place.
  • ProTip: Have multiple terminal (emulator) sessions open to the server, with (at least) one waiting as root running a program that won't timeout; `read` and `vi` are good candidates.
  • ProTip: Use the `visudo` command to edit the sudoers file. `visudo` used $EDITOR to edit the file and runs sanity checks on the sudoers syntax, giving you the opportunity to correct mistakes.
  • Remember, sudo FAILS SECURE, meaning that if there is an error sudo will not allow you to do anything.
  • Insert the following line above the first auth line in the /etc/pam.d/sudo file. 
    auth   sufficient   pam_ssh_agent_auth.so   file=~/.ssh/authorized_keys
  • Append the following line below the last `Defaults env_keep` line in the /etc/sudoers file. 
    Defaults   env_keep += "SSH_AUTH_SOCK"
  • In a new terminal (emulator) test to make sure that you can still `sudo` and that they didn't fail-secure on you do to a typo / other problem. -- This is why you want to have a root window to fix the typo and test again. -- Don't lock yourself out and require boot media.
  • Add the source user's public key to the target user's ~/.ssh/authorized_keys file.

5. su

Configure su to utilize the new PAM module.

  • Back up the file(s) you are modifying, your home directory is a good place.
  • ProTip: Have multiple terminal (emulator) sessions open to the server, with (at least) one waiting as root running a program that won't timeout; `read` and `vi` are good candidates.
  • Insert the following line above the first auth line in the /etc/pam.d/su file. 
    auth   sufficient   pam_ssh_agent_auth.so   file=~/.ssh/authorized_keys
  • In a new terminal (emulator) test to make sure that you can still `su` and that they didn't fail-secure on you do to a typo / other problem. -- This is why you want to have a root window to fix the typo and test again. -- Don't lock yourself out and require boot media.
  • Add the source user's public key to the target user's ~/.ssh/authorized_keys file.

6. Books

The following books contributed to this time saving security enhancing effort:

SSH Mastery, 2nd Edition
I first learned about pam_ssh_agent_auth -- and a lot more -- in the 1st edition of SSH Master.
Sudo Mastery, 2nd Edition
The first edition of PAM Master demystified a LOT of what sudo does, how it does it, and why it does it.
PAM Mastery
PAM Mastery explained enough about PAM for me to try to adapt what I'd done for sudo to su.

Other honorable mentions that I routinely recommend:

DNSSEC Mastery, 2nd Edition
I practice what I preach: Use DNSSEC.
TLS Mastery
TLS Mastery made working with TLS (formerly known as SSL) make so much more sense that I actually understood and could predict the commands that I needed to use to work with TLS certificates.
Networking for Systems Administrators
Networking for Systems Administrators gives a brief overview of what many, Many, MANY things are, how to use the basics, and where to go to learn more.
Run Your Own Mail Server
Run Your Own Mail Server will teach you how to do whatit says on the cover.
Some of my personal preferences differ as a 20+ year postmaster, but I absolutely agree that what Michael has put together will enable you to do what the title says.

You will likely find my name mentioned somewhere in most of the recommended books.

7. Outro

Tilted Windmill Press - Technology
Michael has many more good books, both technology and fiction. Go check him out.
DISCOUNT

Discount for normally priced items from Tilted Windmill Press.

DISCOUNT

Yes, I did use the <MARQUEE> HTML tag.

A web developer I am not. But I like using HTML.

Questions?