[Discuss] ssh keys question

[smallm at sdf.org (Mike Small)]

Kent Borg <kentborg at borg.org> writes:

> On 06/16/2016 06:37 PM, Dan Ritter wrote:
>> 1. You can assign passwords, but tell sshd to only allow access via 
>> keys. This is a Good Idea. 
>
> So for you--someone running your own machine--you use keys to login but 
> still use a password on sudo? (This is common? Seems part of going to 
> keys is to get rid of passwords.)

I hope it's common. Though personally I don't ssh back into my home
network, so my ssh keys are only for outgoing connections.

> But if you do not require a password on sudo it means that any program 
> you run runs with root privileges if it just bothers to ask for it. 
> Kinda the opposite of dropping privileges.

sudo is also handy for dropping privileges. E.g. when using Linux at
home I like using a 2nd user to run firefox (for general surfing) and to
run xterms to play movies or audio files I've downloaded from the web,
and when running a bittorrent client: i.e. when running complicated buggy
programs against untrusted data from the world at large.

otheruser below (names changed) is a 2nd user I created with little in
his home directory and mainuser is my normal user who has more
information in his directory.

alias xunpriv='xhost +si:localuser:otheruser; sudo -iu otheruser xterm'
alias ff='xhost +si:localuser:otheruser; sudo -iu otheruser firefox'

The following line in my sudoers lets my regular user sudo to the less
privileged user (but not vice versa):

# sudo -iu otheruser xterm   expands to /bin/bash -c xterm
mainuser ALL=(otheruser) NOPASSWD: /bin/bash -c *

(If someone sees any mistakes here please point them out.
Reading the sudoers man page is an endeavour.)

I also have something set up in su like BSD's wheel group so that only
the main user can use su to get to root. I'm not sure if this would be
the same on other distributions than Slackware, which is a holdout not
only on systemd but on pam.  If I remember rightly there's a different
way to emulate wheel when using pam.

1223r0:etc$ cat suauth
root:ALL EXCEPT GROUP wheel:DENY
mainuser:ALL:DENY

otheruser is not in group wheel so can't su to root, nor can he su to
mainuser due to the 2nd line.

Some people advocate making otheruser nologin. I haven't done that yet
cause I used to like to be able to login as that user when I knew I was
only going to listen to one podcast and then turn off the computer.

otheruser also lacks the ssh keys I use to connect to other machines.

-- 
Mike Small
smallm at sdf.org