[gentoo-user] sudo

[gentoo-user] sudo

[John Dangler]

[-- Attachment #1: Type: text/plain, Size: 766 bytes --]

I'm looking into setting up sudo on my latest test box (stage3/genkernel
2.6.12-r9)

In portage, sudo says "Allows users or groups to run commands as other
users".  The latest stable shows 1.6.8_p9 (although the one before is it
unstable, and the one before that is stable) hmm.

Anyway, the use flags show "pam skey offensive ldap"

Pam, I get. offensive and ldap - probably won't use these.  But skey.

skey says it's a "Linux Port of OpenBSD Single-key Password System"  That's
all the info I've been able to find out so far.

The connecting page is a Solaris page that doesn't exist.  I'm trying to
find out exactly what this means, since it's a recommended piece from the
Gentoo security handbook.

 

Any input as always is greatly appreciated.

 

John D

 


[-- Attachment #2: Type: text/html, Size: 3398 bytes --]

Re: [gentoo-user] sudo

[Jonathan Wright]

John Dangler wrote:
> The connecting page is a Solaris page that doesn’t exist.  I’m trying to
> find out exactly what this means, since it’s a recommended piece from
> the Gentoo security handbook.

There's a page at the gentoo wiki with some information about how to set
it all up:

"S/keys are one time use passwords. You can use them if you need to
provide passwords where someone may be monitoring your keystrokes.
S/keys are generated randomly, usually around 100 are generated at one
time, with a passphrase as a key. (This passphrase is independent of
your main system password.)"

--
 Jonathan Wright                           ~ mail at djnauk.co.uk
                                           ~ www.djnauk.co.uk
--
 2.6.12-gentoo-r6-djnauk-b7 Intel(R) Pentium(R) 4 Mobile CPU 1.80GHz
 up 11:09,  2 users,  load average: 1.50, 2.22, 1.99
--
 "Governor Schwarzenegger has come out against gay  marriage  and
 then he went back to slathering body oil all over his muscles in
 front of other guys."

                                                  ~ Craig Kilborn


-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] sudo

[John Dangler]

so, the best place to start would be to emerge sudo (and it's dependencies),
and then try and configure it from there... (?) I'm guessing that, with the
use flags set, it would also grab skey...

John D


-----Original Message-----
From: Jonathan Wright [mailto:mail@djnauk.co.uk] 
Sent: Thursday, August 25, 2005 3:11 PM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] sudo

John Dangler wrote:
> The connecting page is a Solaris page that doesn't exist.  I'm trying to
> find out exactly what this means, since it's a recommended piece from
> the Gentoo security handbook.

There's a page at the gentoo wiki with some information about how to set
it all up:

"S/keys are one time use passwords. You can use them if you need to
provide passwords where someone may be monitoring your keystrokes.
S/keys are generated randomly, usually around 100 are generated at one
time, with a passphrase as a key. (This passphrase is independent of
your main system password.)"

--
 Jonathan Wright                           ~ mail at djnauk.co.uk
                                           ~ www.djnauk.co.uk
--
 2.6.12-gentoo-r6-djnauk-b7 Intel(R) Pentium(R) 4 Mobile CPU 1.80GHz
 up 11:09,  2 users,  load average: 1.50, 2.22, 1.99
--
 "Governor Schwarzenegger has come out against gay  marriage  and
 then he went back to slathering body oil all over his muscles in
 front of other guys."

                                                  ~ Craig Kilborn


-- 
gentoo-user@gentoo.org mailing list




-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo

[Jonathan Wright]

John Dangler wrote:
> so, the best place to start would be to emerge sudo (and it's dependencies),
> and then try and configure it from there... (?) I'm guessing that, with the
> use flags set, it would also grab skey...

Something like that. But, at the end of the day, it depends whether you
want the feature of having single-use keys available on the
computer/server. If that's of no use to you, there's no point in setting
the skey flag and just leaving it alone.

-- 
 Jonathan Wright                           ~ mail at djnauk.co.uk
                                           ~ www.djnauk.co.uk
--
 2.6.12-gentoo-r6-djnauk-b7 Intel(R) Pentium(R) 4 Mobile CPU 1.80GHz
 up 13:29,  2 users,  load average: 0.12, 0.25, 0.33
--
 "You know what they  say:  You  can't  teach  a  gay  dog  straight
 tricks."

                              ~ Trey Parker & Matt Stone, South Park
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo

[Willie Wong]

On Thu, Aug 25, 2005 at 02:40:59PM -0400, John Dangler wrote:
> skey says it's a "Linux Port of OpenBSD Single-key Password System"  That's
> all the info I've been able to find out so far.
> 
http://gentoo-wiki.com/HOWTO_Skeys

w

-- 
"Pages one and two [of Zaphod's presidential speech] had 
been salvaged by a Damogran Frond Crested Eagle and had 
already become incorporated into an extraordinary new form 
of nest which the eagle had invented. It was constructed 
largely of papier mache and it was virtually impossible for 
a newly hatched baby eagle to break out of it. The Damogran 
Frond Crested Eagle had heard of the notion of survival of 
the species but wanted no truck with it." 

- An example of Damogran wildlife. 
Sortir en Pantoufles: up 13 days, 22:22
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo

[C.Beamer]

John Dangler wrote:

> I’m looking into setting up sudo on my latest test box
> (stage3/genkernel 2.6.12—r9)
>
> In portage, sudo says “Allows users or groups to run commands as other
> users”. The latest stable shows *1.6.8_p9 (although the one before is
> it unstable, and the one before that is stable) hmm…*
>
> Anyway, the use flags show “pam skey offensive ldap”
>
> Pam, I get… offensive and ldap – probably won’t use these. But skey…
>
> skey says it’s a “Linux Port of OpenBSD Single-key Password System”
> That’s all the info I’ve been able to find out so far…
>
I'm fairly new to Gentoo, so am hardly an authority. However, I do have
sudo working. This is how I did it.

First, I did emerge --search sudo. Of course this returns the "packages"
that have "sudo" in them. A friend told me to do 'emerge -av <package
name>' This lists the available "use flags" for whatever package you
name, for instance 'emerge -av sudo', which will list the available use
flags for sudo.

You also need to install vim because you have to edit the /etc/sudoers
file in order to add a user name. If you display the sudoers file ('cat
sudoers') it will tell you that the file *must* be edited by the visudo
command as root.

In the sudoers file, below the line that reads:
root ALL=(ALL) ALL

you enter the information for the user.

I have 'colleen' set up as a user on my system, so it inserted the line:

colleen ALL=(ALL) ALL

Someone might be able to give you better instructions related to
security, but my system is stand alone and ergo colleen and root have
the same privileges.

Hope this helps.

Regards,

Colleen
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo

[Holly Bostick]

C.Beamer schreef:
> John Dangler wrote:
> 
> 
>>I’m looking into setting up sudo on my latest test box
>>(stage3/genkernel 2.6.12—r9)
>>
>>In portage, sudo says “Allows users or groups to run commands as other
>>users”. The latest stable shows *1.6.8_p9 (although the one before is
>>it unstable, and the one before that is stable) hmm…*
>>
>>Anyway, the use flags show “pam skey offensive ldap”
>>
>>Pam, I get… offensive and ldap – probably won’t use these. But skey…
>>
>>skey says it’s a “Linux Port of OpenBSD Single-key Password System”
>>That’s all the info I’ve been able to find out so far…
>>
> 
> I'm fairly new to Gentoo, so am hardly an authority. However, I do have
> sudo working. This is how I did it.
> 
> First, I did emerge --search sudo. Of course this returns the "packages"
> that have "sudo" in them. A friend told me to do 'emerge -av <package
> name>' This lists the available "use flags" for whatever package you
> name, for instance 'emerge -av sudo', which will list the available use
> flags for sudo.
> 
> You also need to install vim because you have to edit the /etc/sudoers
> file in order to add a user name. If you display the sudoers file ('cat
> sudoers') it will tell you that the file *must* be edited by the visudo
> command as root.

You're not quite correct on this; the command that must be used is
indeed visudo, but that does not mean you need to use vi(m) to edit the
file. I do it with nano, myself.

But I think that's because my default editor (in /etc/rc.conf) is nano,
not vi.

> 
> In the sudoers file, below the line that reads:
> root ALL=(ALL) ALL
> 
> you enter the information for the user.
> 
> I have 'colleen' set up as a user on my system, so it inserted the line:
> 
> colleen ALL=(ALL) ALL
> 
> Someone might be able to give you better instructions related to
> security, but my system is stand alone and ergo colleen and root have
> the same privileges.

The more traditional way to do this is to uncomment the line already
present in the file

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

Remove the "#" mark to uncomment the command, and if you are a member of
the wheel group, which you should be, if you want to run su in the first
place (which of course you do, if you want to use sudo), then you're done.

The cool thing about this all is that it allows you to set up aliases in
your .bashrc that make specific commands you might want to run as root
go much faster.

If you also set up a subset of root-only commands (such as emerge,
glsa-check, etc-update, "nano /etc/portage/package.keywords") to be
allowed to run without a password, it goes faster still with the use of
aliases, because then you can alias things like

alias emerge='sudo emerge_with_indexing_for_cfg-update'

and then you can just type 'emerge -blah whatever' in a regular old
console and get on with your life. It's not like emerging things doesn't
take long enough without having to type in a password (and since I'm
used to su-ing rather than sudo-ing, I always type the wrong one and get
kicked out anyway ;) so it takes even longer since I have to start all
over again).

There is no real way to make allowing anyone to sudo really secure
(because it's inherently insecure to punch holes in your 'who's allowed
to do what' scheme), other than making sure that you trust those who you
do allow (in this case, since it's yourself, that's not an issue), and
making sure that no one has access to your machine that could use your
trust of yourself against you (i.e., if someone had physical access to
your login, or gained such access through hacking, they would have all
the access of colleen, who has all the access of root, rather than
having to try and brute-force the root password out of you/your system).

But that's what firewalls and encryption (and turning off/logging out of
your PC when irresponsible or untrustowrthy people are around) are for.

Holly
-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] sudo

[John Dangler]

Jonathan, Colleen, Holly~
Thanks for the additional comments.  Am I to understand, then, that I can
emerge sudo without the use of skey?  Since I'm still not entirely sure what
its function is, I'd feel better leaving it alone.  If so, then I'll get it
emerged and follow the posts to get it setup...

Thanks for the reply.

John D


-----Original Message-----
From: Holly Bostick [mailto:motub@planet.nl] 
Sent: Thursday, August 25, 2005 6:14 PM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] sudo

C.Beamer schreef:
> John Dangler wrote:
> 
> 
>>I'm looking into setting up sudo on my latest test box
>>(stage3/genkernel 2.6.12-r9)
>>
>>In portage, sudo says "Allows users or groups to run commands as other
>>users". The latest stable shows *1.6.8_p9 (although the one before is
>>it unstable, and the one before that is stable) hmm.*
>>
>>Anyway, the use flags show "pam skey offensive ldap"
>>
>>Pam, I get. offensive and ldap - probably won't use these. But skey.
>>
>>skey says it's a "Linux Port of OpenBSD Single-key Password System"
>>That's all the info I've been able to find out so far.
>>
> 
> I'm fairly new to Gentoo, so am hardly an authority. However, I do have
> sudo working. This is how I did it.
> 
> First, I did emerge --search sudo. Of course this returns the "packages"
> that have "sudo" in them. A friend told me to do 'emerge -av <package
> name>' This lists the available "use flags" for whatever package you
> name, for instance 'emerge -av sudo', which will list the available use
> flags for sudo.
> 
> You also need to install vim because you have to edit the /etc/sudoers
> file in order to add a user name. If you display the sudoers file ('cat
> sudoers') it will tell you that the file *must* be edited by the visudo
> command as root.

You're not quite correct on this; the command that must be used is
indeed visudo, but that does not mean you need to use vi(m) to edit the
file. I do it with nano, myself.

But I think that's because my default editor (in /etc/rc.conf) is nano,
not vi.

> 
> In the sudoers file, below the line that reads:
> root ALL=(ALL) ALL
> 
> you enter the information for the user.
> 
> I have 'colleen' set up as a user on my system, so it inserted the line:
> 
> colleen ALL=(ALL) ALL
> 
> Someone might be able to give you better instructions related to
> security, but my system is stand alone and ergo colleen and root have
> the same privileges.

The more traditional way to do this is to uncomment the line already
present in the file

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

Remove the "#" mark to uncomment the command, and if you are a member of
the wheel group, which you should be, if you want to run su in the first
place (which of course you do, if you want to use sudo), then you're done.

The cool thing about this all is that it allows you to set up aliases in
your .bashrc that make specific commands you might want to run as root
go much faster.

If you also set up a subset of root-only commands (such as emerge,
glsa-check, etc-update, "nano /etc/portage/package.keywords") to be
allowed to run without a password, it goes faster still with the use of
aliases, because then you can alias things like

alias emerge='sudo emerge_with_indexing_for_cfg-update'

and then you can just type 'emerge -blah whatever' in a regular old
console and get on with your life. It's not like emerging things doesn't
take long enough without having to type in a password (and since I'm
used to su-ing rather than sudo-ing, I always type the wrong one and get
kicked out anyway ;) so it takes even longer since I have to start all
over again).

There is no real way to make allowing anyone to sudo really secure
(because it's inherently insecure to punch holes in your 'who's allowed
to do what' scheme), other than making sure that you trust those who you
do allow (in this case, since it's yourself, that's not an issue), and
making sure that no one has access to your machine that could use your
trust of yourself against you (i.e., if someone had physical access to
your login, or gained such access through hacking, they would have all
the access of colleen, who has all the access of root, rather than
having to try and brute-force the root password out of you/your system).

But that's what firewalls and encryption (and turning off/logging out of
your PC when irresponsible or untrustowrthy people are around) are for.

Holly
-- 
gentoo-user@gentoo.org mailing list





-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo

[Jonathan Wright]

John Dangler wrote:
> Jonathan, Colleen, Holly~
> Thanks for the additional comments.  Am I to understand, then, that I can
> emerge sudo without the use of skey?  Since I'm still not entirely sure what
> its function is, I'd feel better leaving it alone.  If so, then I'll get it
> emerged and follow the posts to get it setup...

That's probably best. As with most ebuilds, it's an optional extra, not
a requirement to the installation. If you're simply looking to use sudo
to run commands, the default settings are fine. They work for me just
fine :)

Then again, if you decide at a later date you want to add that feature,
there's nothing stopping you adding the flag and re-compiling the code
with skey support.

-- 
 Jonathan Wright                           ~ mail at djnauk.co.uk
                                           ~ www.djnauk.co.uk
--
 2.6.12-gentoo-r6-djnauk-b7 Intel(R) Pentium(R) 4 Mobile CPU 1.80GHz
 up 15:39,  4 users,  load average: 0.42, 0.27, 0.24
--
 "About a year ago I was a guest on a network news show in New York.
 They were showing film clips from a gay  pride  parade  down  Fifth
 Avenue, but they only decided to show the part with men in  dresses
 and heels. I had seen the parade, and there were  men  in  business
 suits as well. After showing the film,  the  newsperson  made  some
 comments, and I found the comments extremely offensive."

 "This is what's wrong with the media," I said. "You show  a  fringe
 position. You show one point of view. You're closing the  minds  of
 the people by not showing them what the reality is." I got  up  and
 walked out, and I've never been asked back again."

                                                    ~ Kathleen Nolan
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo

[Anthony E. Caudel]

C.Beamer wrote:
> 
<snip>
> You also need to install vim because you have to edit the /etc/sudoers
> file in order to add a user name. If you display the sudoers file ('cat
> sudoers') it will tell you that the file *must* be edited by the visudo
> command as root.
> 
You do not need to install vim.  sudo installs visudo but, at least in
my case, visudo uses nano which is my default editor.

Tony
-- 
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
   -- Benjamin Franklin
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo

[Antoine]

> You also need to install vim because you have to edit the /etc/sudoers
> file in order to add a user name. If you display the sudoers file ('cat
> sudoers') it will tell you that the file *must* be edited by the visudo
> command as root.

exaggeration... that is certainly the safe way to do it, but unless I'm 
mistaken, only really dangerous if you have lots of people logging 
in/you can't tell the other people not to do so while you are editing 
it. vipw stopped working for some strange reason and I have never looked 
back :-).
Certainly BETTER to do it that way, no denying that!
Cheers
Antoine
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo

[Kurt Lieber]

On 8/25/05, John Dangler <jdangler@atlantic.net> wrote:
> I'm trying to find out exactly what this means, since it's a recommended piece from the
> Gentoo security handbook. 

It compiles sudo with support for One Time (or "single key) passwords.
 OpenSSH also supports skey.

--kurt

-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] sudo

[John Dangler]

>> It compiles sudo with support for One Time (or "single key) passwords.
 OpenSSH also supports skey.

It? Do you mean the latest kernel? or a stage3 build with genkernel? (I know
that skey isn't in the default list of use flags)...

John D

-----Original Message-----
From: Kurt Lieber [mailto:kurt.lieber@gmail.com] 
Sent: Thursday, August 25, 2005 7:26 PM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] sudo

On 8/25/05, John Dangler <jdangler@atlantic.net> wrote:
> I'm trying to find out exactly what this means, since it's a recommended
piece from the
> Gentoo security handbook. 

It compiles sudo with support for One Time (or "single key) passwords.
 OpenSSH also supports skey.

--kurt

-- 
gentoo-user@gentoo.org mailing list





-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo

[Nick Rout]

On Thu, 25 Aug 2005 19:47:47 -0400
John Dangler wrote:

> >> It compiles sudo with support for One Time (or "single key) passwords.
>  OpenSSH also supports skey.
> 
> It? Do you mean the latest kernel? or a stage3 build with genkernel? (I know
> that skey isn't in the default list of use flags)...

"IT" means the skey USE flag, just like "it" did in your post, to which
he was replying.

It seems perhaps that you don't quite "get" USE flags (and thats no
criticism, they take a while to get your head around) but i am not going
to explain again what is in plenty of very good existing documentation.


> 
> John D
> 
> -----Original Message-----
> From: Kurt Lieber [mailto:kurt.lieber@gmail.com] 
> Sent: Thursday, August 25, 2005 7:26 PM
> To: gentoo-user@lists.gentoo.org
> Subject: Re: [gentoo-user] sudo
> 
> On 8/25/05, John Dangler <jdangler@atlantic.net> wrote:
> > I'm trying to find out exactly what this means, since it's a recommended
> piece from the
> > Gentoo security handbook. 
> 
> It compiles sudo with support for One Time (or "single key) passwords.
>  OpenSSH also supports skey.
> 
> --kurt
> 
> -- 
> gentoo-user@gentoo.org mailing list
> 
> 
> 
> 
> 
> -- 
> gentoo-user@gentoo.org mailing list

-- 
Nick Rout <nick@rout.co.nz>

-- 
gentoo-user@gentoo.org mailing list