Sudo w/Ticket Support

greg@enjellic.com greg at enjellic.com
Tue May 12 11:04:11 EDT 2009 

On May 7, 11:21am, petesea at bigfoot.com wrote:
} Subject: Sudo w/Ticket Support

Good morning to everyone, hope your respective weeks are going well.

> Is there a version of sudo that supports Ticket Exchange?
> 
> ie. if I have valid TGT it will allow me to sudo without being prompted 
> for a password?
> 
> It appears there is a version that supports the use of Kerberos passwords, 
> but I'm looking for something that uses that TGT I already have.

TGT authenticated sudo transition is a bit of a security hole in
general.  It essentially defeats the notion which sudo has of
enforcing user immediacy at the time of the security transition
request.

The other major hole with using Kerberos to authenticate a password is
that it defeats the underlying premise of the Kerberos security model
which states that a password is never typed into a remote machine.

I've got the most recent copy of OpenSSH taken apart right now in an
attempt to implement an alternative strategy.  I'm teaching the client
to open an authenticated channel over which a short lived host based
service ticket is passed to the SSHD daemon.  After authenticating the
service ticket the daemon updates the timestamp on the sudo sentinel
file.

The user uses the ~S command to initiate the sequence.  The user is
prompted for a password which is used to obtain a TGT which is then
used to obtain a service ticket which is sent over the channel for
authentication.  By enforcing a very short ticket lifetime parameter
user immediacy can be enforced.

I plan on posting the patches when they are complete.  Much like Simon
Wilkinson's excellent patches it is unlikely they will see the light
of day but local system administrators may find them useful.  They
will be more palatable then the current situation with respect to
Kerberized authentication for sudo.  I know in the shops I work with
this approach is more favored then typing in remote passwords or
usingn NOPASSWD.

Best wishes for a productive week.

Greg

}-- End of excerpt from petesea at bigfoot.com

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-1686
FAX: 701-281-3949           EMAIL: greg at enjellic.com
------------------------------------------------------------------------------
"C++ is designed to allow you to express ideas, but if you don't have
 any ideas or don't have any clue about how to express them, C++
 doesn't offer much help."
                                -- Bjarne Stroustrup
                                   Technology Review

More information about the Kerberos mailing list