Using OpenPGP / GnuPG to unlock 'sudo bla bla' or 'sudo -s'

Matthias Apitz guru at unixarea.de
Mon Aug 12 19:27:19 CEST 2024


El día lunes, agosto 12, 2024 a las 06:13:43p. m. +0200, Werner Koch via Gnupg-users escribió:

> On Mon, 12 Aug 2024 14:26, Matthias Apitz said:
> 
> > password-store and for outbound SSH/SCP. Is there a way, for example
> > with a config in /etc/pam.d/.... to used the OpenPGP card for providing
> > the password to 'sudo xxxx' or 'sudo -s'
> 
> I thought these days everyone is using
> 
>   ssh root at localhost foo --bar baz


After sudo -s:

cat ~root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCWjY0QlrPXqw2hj05JeXH4wssx20sq4VvsC4baVocCH8PeDSYcl7Q7p/opEd8CX0WgUaSm8a2GRWxiS9b1m6Q6xzXzzuc6tlfqsulzDCg1a6mV+U7WLQJl9fmyvSMynmVTvkmSdxWJOsG1k2OZS5EKTq4cLfLZCKnl7YvYbdwzEcE7//RC6UX3pATDFOrrrEYbarauEQ1y0Rxj22yIQE0S4Pkut0kDXyJKdDcc1zuKLsjST4+fhm+5Fj6haP8SKibIyPpYqSkeIg0mnEgp8/JHgznK6i8NH/R3507gmHhgER7OMDyPqnp5orHAHqHSeNSfBWmBcWxlelEfa/Y3ZlUex38RQrncYuB7ew+3dAclt7EjQ1Ki4COHmaTueEUaXvYhRG+D2jN672kljs4mOtTQ9nZ68y6gbgRpet5obeSXGPrCMEYvpoz0h00upUwsDgwR/ENm1H1xYWJHL7onVMBKdjER0dKOWhlq7adGm94VjbDJUPxWywSeYjXPNLTGUptbgyku61eUnXcTjusVMQyZHRaDxJZXmB9To9NKUWzUl/AUwn7KocCRCU4JYgNi54fBpbz0LKBJnqa+00AABT5wmVCAmzoQSrcqfruKNOVZrhutwJrR4MifhPaD5MUsFZt4kFJoZrPTEDZiUM4hqINsyeoMZbhw0tMGOuTlvN+79w== openpgp:0x237B4D65

As unpriv user purism:

ssh -vv root at localhost

(PIN of OpenPGP card is asked)

...
debug1: Server accepts key: cardno:00050000CF41 RSA SHA256:DC+r35okkvh99xY7Z3Z5Xb0AMCs5E6hzlYia1QxrY6c agent
Your account has expired; please contact your system administrator.
Connection closed by ::1 port 22

The root account of the L5 is locked for some good reasons.

	matthias
-- 
Matthias Apitz, ✉ guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

I am not at war with Russia.
Я не воюю с Россией.
Ich bin nicht im Krieg mit Russland.



More information about the Gnupg-users mailing list