On 5/31/2011 3:40 PM, Anders Johansson wrote:
On Wednesday 01 June 2011 00:24:22 Edwin Helbert
Aponte Angarita wrote:
I think this is a security issue. An unprivileged
user that knows that
the system is maintained remotely using ssh and, perhaps, sudo, could
keep attempting to use sudo until they gets it.
They would first need to log in as the same user the admin was using. sudo
won't do that for all users. It just remembers that you have already
authenticated once, and won't force you to do it again until some time later.
I think the point Edwin was trying to make was assume you ssh into
a remote machine _that is being used_ by an authorized users, and
you use that person's login and then issue a sudo command.
The regular user sitting at that remote machine can then issue another
sudo without knowing root's login (allegedly).
(If I'm interpreting Edwin's posting correctly.)
I'm don't think this really works, because cashing of sudo credentials
is specific to a login session, not specific to a user id.
I tested this by ssh into my (11.4+kde) laptop from my other machine.
I logged in as me in the ssh session, and I was already logged in
on the laptop itself.
I issued a sudo command, gave root's password, and immediately tried it
on the other machine.
Regardless of where I first did the sudo command, I was forced to enter
root's password again when doing it in the other place.
Didn't matter if the first sudo was over ssh or at the console.
Each session was individually authenticated.
So I have to ask Edwin if he is speculating, or if he actually tried this.
It is a convenience thing in sudo, so the same user
won't have to type the
admin password every single time. You can disable it if you like in
/etc/sudoers by adding
By default sudo will not ask the same user for the password until 5 minutes
I'm running normal settings here. sudo authentication persists for 5 minutes
but it is specific to the login session.
---This space for rent---
To unsubscribe, e-mail: opensuse+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse+help(a)opensuse.org