Using OpenPGP / GnuPG to unlock 'sudo bla bla' or 'sudo -s'
Matthias Apitz
guru at unixarea.de
Mon Aug 12 19:27:19 CEST 2024
El día lunes, agosto 12, 2024 a las 06:13:43p. m. +0200, Werner Koch via Gnupg-users escribió:
> On Mon, 12 Aug 2024 14:26, Matthias Apitz said:
>
> > password-store and for outbound SSH/SCP. Is there a way, for example
> > with a config in /etc/pam.d/.... to used the OpenPGP card for providing
> > the password to 'sudo xxxx' or 'sudo -s'
>
> I thought these days everyone is using
>
> ssh root at localhost foo --bar baz
After sudo -s:
cat ~root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCWjY0QlrPXqw2hj05JeXH4wssx20sq4VvsC4baVocCH8PeDSYcl7Q7p/opEd8CX0WgUaSm8a2GRWxiS9b1m6Q6xzXzzuc6tlfqsulzDCg1a6mV+U7WLQJl9fmyvSMynmVTvkmSdxWJOsG1k2OZS5EKTq4cLfLZCKnl7YvYbdwzEcE7//RC6UX3pATDFOrrrEYbarauEQ1y0Rxj22yIQE0S4Pkut0kDXyJKdDcc1zuKLsjST4+fhm+5Fj6haP8SKibIyPpYqSkeIg0mnEgp8/JHgznK6i8NH/R3507gmHhgER7OMDyPqnp5orHAHqHSeNSfBWmBcWxlelEfa/Y3ZlUex38RQrncYuB7ew+3dAclt7EjQ1Ki4COHmaTueEUaXvYhRG+D2jN672kljs4mOtTQ9nZ68y6gbgRpet5obeSXGPrCMEYvpoz0h00upUwsDgwR/ENm1H1xYWJHL7onVMBKdjER0dKOWhlq7adGm94VjbDJUPxWywSeYjXPNLTGUptbgyku61eUnXcTjusVMQyZHRaDxJZXmB9To9NKUWzUl/AUwn7KocCRCU4JYgNi54fBpbz0LKBJnqa+00AABT5wmVCAmzoQSrcqfruKNOVZrhutwJrR4MifhPaD5MUsFZt4kFJoZrPTEDZiUM4hqINsyeoMZbhw0tMGOuTlvN+79w== openpgp:0x237B4D65
As unpriv user purism:
ssh -vv root at localhost
(PIN of OpenPGP card is asked)
...
debug1: Server accepts key: cardno:00050000CF41 RSA SHA256:DC+r35okkvh99xY7Z3Z5Xb0AMCs5E6hzlYia1QxrY6c agent
Your account has expired; please contact your system administrator.
Connection closed by ::1 port 22
The root account of the L5 is locked for some good reasons.
matthias
--
Matthias Apitz, ✉ guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
I am not at war with Russia.
Я не воюю с Россией.
Ich bin nicht im Krieg mit Russland.
More information about the Gnupg-users
mailing list