configpolicy

dustin

configpolicy

Fork 0

Commit Graph

Author	SHA1	Message	Date
Dustin	091d9e1f78	r/sudo: Optionally enable pam_ssh_agent_auth The [pam_ssh_agent_auth][0] PAM module authenticates users using keys in their SSH agent. Using SSH agent forwarding, it can even authenticate users with keys on a remote system. By adding it to the PAM stack for `sudo`, we can configure the latter to authenticate users without requiring a password. For servers especially, this is significantly more secure than configuring `sudo` not to require a password, while still being almost as convenient. For this to work, users need to enable SSH agent forwarding on their clients, and their public keys have to be listed in the `/etc/security/sudo.authorized_keys` file. Additionally, although the documentation suggests otherwise, the `SSH_AUTH_SOCK` environment variable has to be added to the `env_keep` list in sudoers(5). [0]: https://github.com/jbeverly/pam_ssh_agent_auth	2024-01-28 12:16:35 -06:00
Dustin	d2eb61cce1	r/sudo: Tag install tasks Tasks that install packages need to be tagged as `install` so they can be skipped by Jenkins daily runs.	2023-10-21 22:16:28 -05:00
Dustin	f16b7557cd	roles/sudo: Configure sudo and policy The sudo role installs `sudo` and configures policy for it. By default, users who are members of the sudo group can run any command as root.	2018-03-11 18:16:17 -05:00

Author

SHA1

Message

Date

Dustin

091d9e1f78

r/sudo: Optionally enable pam_ssh_agent_auth

The [pam_ssh_agent_auth][0] PAM module authenticates users using keys in
their SSH agent.  Using SSH agent forwarding, it can even authenticate
users with keys on a remote system.  By adding it to the PAM stack for
`sudo`, we can configure the latter to authenticate users without
requiring a password.  For servers especially, this is significantly
more secure than configuring `sudo` not to require a password, while
still being almost as convenient.

For this to work, users need to enable SSH agent forwarding on their
clients, and their public keys have to be listed in the
`/etc/security/sudo.authorized_keys` file.  Additionally, although the
documentation suggests otherwise, the `SSH_AUTH_SOCK` environment
variable has to be added to the `env_keep` list in *sudoers(5)*.

[0]: https://github.com/jbeverly/pam_ssh_agent_auth

2024-01-28 12:16:35 -06:00

Dustin

d2eb61cce1

r/sudo: Tag install tasks

Tasks that install packages need to be tagged as `install` so they can
be skipped by Jenkins daily runs.

2023-10-21 22:16:28 -05:00

Dustin

f16b7557cd

roles/sudo: Configure sudo and policy

The *sudo* role installs `sudo` and configures policy for it. By
default, users who are members of the *sudo* group can run any command
as root.

2018-03-11 18:16:17 -05:00

3 Commits (142682ce2f7d73ad94bc11ab4e34b7f60a09e436)