Yrurtj

I'm setting up a few ubuntu boxes, and using opscode's chef as a configuration tool. It would be fairly easy to install public keys for each user on each of these servers, and disable password authentication.

However, the users should also have sudo privileges though, which by default requires a password.

If I want to use the users' public keys as a method of access management and allow the users sudo privileges, does that mean I should also set up the users with NOPASSWD: ALL in visduo, or is there a way that a user can change their own password if they only have public key authentication?

Sudo, in its most common configuration, requires the user to type his password. Typically, the user already used his password to authenticate into the account, and typing the password again is a way to confirm that the legitimate user hasn't abandoned his console and been hijacked.

In your setup, the user's password would be used only for authentication to sudo. In particular, if a user's SSH key is compromised, the attacker would not be able to elevate to root privileges on the server. The attacker could plant a key logger into the account, but this key logger would be detectable by other users, and could even be watched for automatically.

A user normally needs to know his current password to change it to a different password. The passwd program verifies this (it can be configured not to, but this is not useful or at all desirable in your scenario). However, root can change any user's password without knowing the old one; hence a user with sudo powers can change his own password without entering it at the passwd prompt by running sudo passwd $USER. If sudo is configured to require the user's password, then the user must have typed the password to sudo anyway.

You can disable password authentication selectively. In your situation, you would disable password authentication in ssh, and possibly in other services. Most services on most modern unices (including Ubuntu) use PAM to configure authentication methods. On Ubuntu, the PAM configuration files live in /etc/pam.d. To disable password authentication, comment out the auth … pam_unix.so line in /etc/pam.d/common-auth. Furthermore, make sure you have PasswordAuthentication no in /etc/ssh/sshd_config to disable sshd's built-in password authentication.

You may want to allow some administrative users to log in with a password, or to allow password authentication on the console. This is possible with PAM (it's pretty flexible), but I couldn't tell you how off the top of my head; ask a separate question if you need help.

You can use the pam_ssh_agent_auth module. It's pretty simple to compile, and then just add the entry

auth       sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys

before the other auth (or include) entries in /etc/pam.d/sudo

and

Defaults    env_keep += "SSH_AUTH_SOCK"

to /etc/sudoers (via visudo).

Now every user can either authenticate to sudo via a (forwarded or local) SSH agent or their password. It may be wise to ask your users to use ssh-add -c such that each sudo call will at least require some confirmation.

Yes, it's incredibly insecure and also allows a user to access the other users passwords, but since they have sudo, not much you can do.

Basically, you do the following:

$ sudo -i

Now, we are root. We have access to everything.

# passwd $username

$username can be anyone's username.

Enter new UNIX password:

Retype new UNIX password:
passwd: password updated successfully

Boom, password changed. Again, incredibly insecure because you can change anyones, but it works, but it works. I don't recommend it, but rather offer this answer up as an example of what not to do.

The point of the password is to ensure that hackers who obtain a user's key, or find an unattended terminal can't gain root access. For this reason I wouldn't recommend any solution that involves passwordless sudo.

I suggest you keep it simple: perhaps email a user the default password with strict instructions to change it ASAP, or else insert a script in their .profile or .login or something such that it demands a new password on their first login. It could disable itself when completed, and you could use expect to enter the existing password so they never have to know it.

#% useradd -g somegroup someuser

#% usermod -p "" someuser

#% chage -d 0 someuser

#% sed -i "s/^.*PasswordAuthentication .*/PasswordAuthentication no/" /etc/sshd/sshd_config

#% /sbin/service sshd restart

#% cp -r ~/.ssh `echo ~someuser`

#% chown -R someuser `echo ~someuser`/.ssh

#% chgrp -R somegroup `echo ~someuser`/.ssh

#% echo "%somegroup  ALL=(ALL)   ALL" >> /etc/sudoers

>
This should allow you to have users who can login only using public keys and can not
use passwords for login. However he will be forced to change the password the first time he
logs in...but without having to tell him somedummy password up front...The users will be
simply asked to reset the password and subsequently they can use it only for sudo
but will not be able to login(ssh) using that password. Note that the trick here is to not to have told users some dummy password which they would then be required to input at the time of login once they are required to to change their password ...In nut shell no communication from admin(root) to the actual user is required.

Hope that helps