← Back to context

Comment by tsbinz

2 years ago

That is not the only time you use passwords over ssh, e.g. I don't use a password to remote into my desktop from my laptop, but I do use one when using sudo on the desktop.

10 comments

tsbinz

Reply
rollcat  2 years ago

Actually this is something that is relevant to my interests.

I prefer to have sudo ask for a password when I'm physically in front of the machine, but not if it's a remote session (e.g. SSH from my laptop to my desktop).

Maybe the SSH agent on the client can re-authenticate to the server when requested?

  • patrakov  2 years ago

    > Maybe the SSH agent on the client can re-authenticate to the server when requested?

    There is a PAM module that does this: https://github.com/jbeverly/pam_ssh_agent_auth

    Note that this is a bad idea from the security standpoint, as it requires SSH agent forwarding. Which means that, if the remote server is compromised, the attacker can use your SSH agent to log into other servers as you.

vladvasiliu  2 years ago

Is there no way to forward fido tokens? Or the GPG agent with a Yubikey.

Under Windows, you can forward your smartcard over remote desktop. It's one of the few things Windows has I miss on Linux.

  • ptman  2 years ago

    Forwarding the ssh agent (-A) is considered insecure. Instead man ssh recommends using a jump host (-J)

    • vladvasiliu  2 years ago

      I was talking about the GPG agent, so that the key on the smart card can be used to for sudo elevation on the remote host. This usually requires user interaction with the key, so just having access to the agent wouldn't do much. I don't think the ssh agent would help with this.

      To your point, I wonder whether that consideration holds when the private key is held on an external device, like is the case with a YubiKey. I use that setup, and I can't add the key to the ssh agent.

          $ ssh-add .ssh/id_yubikey_gpg.pub                                                                                                                                                                                                                                                                                                                     
    Error loading key ".ssh/id_yubikey_gpg.pub": error in libcrypto

      SSH connections work fine with that key.

  • 2Gkashmiri  2 years ago

    i attempt to use this and some programs recognize this and many just don't

    • vladvasiliu  2 years ago

      Don't these apps just use PAM? Since the initial complaint was about sudo, I'd figure pam / polkit would handle this, and apps would call those to obtain privilege elevation.

riffraff  2 years ago

FWIW, you can probably configure sudo to use something other than passwords. On a Mac you can use the fingerprint reader for example, it's just disabled by default.

And your terminal may come with a password manager too, which would be unlocked with whatever means.

Again, on a Mac with iTerm you can do this with a fingerprint.

ehutch79  2 years ago

That's not what the parent is talking about.

They're specifically refering to password authentication to make the ssh connection.