SSH mediated Kerberos authenticated sudo. g.w at
Wed Dec 22 13:31:23 EST 2010

Good afternoon, I hope the week is going well for everyone.

Since Randy Quaid has recently been in the news I thought I would
start this note with his inspirational line from 'Independence Day':

Iiiiiimmmmmmmm bbbbaaaaccccckkkkkk........ :-)

I always strive for greatness in my life so as we were going into this
holiday season I decided there was probably no greater greatness to
aspire to then to be like Simon Wilkinson.  To conjure up patches of
great usefullness to the Kerberos community which wouldn't have a
prayer of being accepted by the SSH community.

We got hit with a rather aggressive round of early snow up here in
North Dakota so I've been able to spend a fair amount of time
cross-country skiing with my golden retriever Izzy.  That has given me
some time to think about a project which I have been meaning to do for
some time.

So I've spent the holiday season skiing, snow shoeing, thinking and
tinkering to come up with a set of patches which implement support for
doing sudo authentication 'right' with respect to the Kerberos
authentication model.  So as a holiday gift to the Kerberos community
at large the following is available:

These patches implement an AP-REQ authentication module for sudo and a
set of companion patches to the public version of OpenSSH to
facilitate the use of this module.

There is a README in the tar file which documents the problem these
patches attempt to address along with a general architectural overview
for how things work.

A quick summary:

The patches implement a ~s escape sequence in the ssh client which
prompts the user for a password to authenticate the creation of an
AP-REQ packet for the remote client.  Upon successful authentication
the packet is conveyed to the server via an SSH local packet type.

The patches implement a requirement for a very short 10 second
lifetime on the authentication packet.  This is to maintain the
concept of immediacy of the user on the client side.

On login the server creates a temporary file and stores the name of
this file in an environment variable named SUDO_CREDENTIAL which is
exported into the user's login session.  Upon receipt of the AP-REQ
packet the server writes the packet into the file so it is available
on the remote machine.

The user is then prompted for a standard sudo command which uses the
AP-REQ packet to authenticate the privilege escalation request.

Hopefully all of this will be useful for system administrators at
Kerberos sites which enjoy the flexibility of sudo but get vaguely
queasy as they type their passwords into remote machines.

As the version number indicates these patches are very young so I
appreciate all the eyeballs we can get on them due to the nature of
the tools involved.  The SSH server/client patches run in the
unprivileged side of the privilege separation process pair and the
kerb5apreq support in sudo uses the barest minimum of root privileges
so the security footprint on these should be reasonably small.

There is no Heimdal support so if anyone is interested I would gladly
accept incrementals to graft on support for those sites as well.

Just in general spirit I will probably bolt on some type of Kerberos
mediated authorization in the future to keep the conversation
lively... :-)

Best wishes for a pleasant holiday weekend.

As always,
Greg Wettstein and Dal-Rhe's Golden Boy Saint Isadore 'Izzy'

			 The Hurderos Project
         Open Identity, Service and Authorization Management

`We're sysadmins.  We deal with the inconceivable so often I can
 clearly see the need to define levels of inconceivability.'
                                -- Rik Steenwinkel

More information about the krbdev mailing list