Login or Register to Ask a Question and Join Our Community


UNIX for Dummies Questions & Answers

does disabling requiretty in sudo have security implications with SSH?

 
Thread Tools Search this Thread
Top Forums UNIX for Dummies Questions & Answers does disabling requiretty in sudo have security implications with SSH?
# 1  
Old 10-05-2010
Question does disabling requiretty in sudo have security implications with SSH?
I've run into an issue running rsync remotely via SSH/sudo ...

I get the error sudo: sorry, you must have a tty to run sudo

I know that I can disable the tty in sudoers file ( !requiretty),

but my question is: is there a security risk by disabling requiretty with SSH/rsync/sudo?

Is there an alternative?

Thanks

Matt
 
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. UNIX for Beginners Questions & Answers

Command disabling sudo access

Hi, I have setup password less login to sudo for a particular group. if I do sudo /usr/local/sbin/group it will take me to the group without password. Recently i executed a command scl_source as source scl_source enable devtoolset-7. After that my sudo is asking password not sure why sudo... (2 Replies)
Discussion started by: arunkumar_mca
2 Replies

2. IP Networking

Force SSH session without/disabling X11 forwarding.

I would like to disable X11 session forcefully. I have tried the following things: 1. Setting appropriate DISPLAY variable in the /etc/environment file to be "0.0" 2. I have tried setting the sshd_config parameter X11Forwarding to be "no" This session communication is happening by exchanging... (2 Replies)
Discussion started by: vaibhavvsk
2 Replies

3. Cybersecurity

Help on Ssh using sudo

I'm confused in the configuration of sudoers for one group of users. The users need to execute a app from a remote machine, in this local machine they want me to allow ssh for them using sudo for eg. sudo -u admin ssh -X euadmin@<IP address of remote> <remote script which opens a gui> It... (1 Reply)
Discussion started by: anandk
1 Replies

4. AIX

Disabling SSH direct access for an AIX user

Hello everyone, Can anyone help me please. I want to disable SSH direct access for an AIX user. For example, if I have USER1 and USER2. I want to disactivate direct access for USER2. The user must enter his login (USER1) and his password and then he can do su - USER2 . Thanks, (3 Replies)
Discussion started by: adilyos
3 Replies

5. UNIX for Dummies Questions & Answers

Pop the users one by one in sudo cat /etc/security/user

Hi Everyone, When I runthe query in ssh shell sudo cat /etc/security/user , I see half of the users cut down from the display screen. what I want to do is using the somthing like "pop" that when I hit the enter key every time the screen should move to the next user? does some one has any idea how... (4 Replies)
Discussion started by: starter2011
4 Replies

6. Shell Programming and Scripting

ssh foo.com sudo command - Prompts for sudo password as visible text. Help?

I am writing a BASH script to update a webserver and then restart Apache. It looks basically like this: #!/bin/bash rsync /path/on/local/machine/ foo.com:path/on/remote/machine/ ssh foo.com sudo /etc/init.d/apache2 reloadrsync and ssh don't prompt for a password, because I have DSA encryption... (9 Replies)
Discussion started by: fluoborate
9 Replies

7. UNIX for Advanced & Expert Users

sudo and ssh

Hi, I would like to know how i can perform a task, while performing ssh, sudo and command at the same time. What I generally do is I ssh to the server, where i created private and public, so it does not prompt me for password all the time. Then i need to run "sudo su - ldaprole" to get into... (9 Replies)
Discussion started by: john_prince
9 Replies

8. UNIX for Advanced & Expert Users

sudo and ssh

Hello, Can you config sudo to use the passphrase in the user ssh-key instead of the one in the passwd? Some users do not have local passwords on the system and instead of adding the NOPASSWD in sudoers I would like the solution I asked about above. Thx Jocke (3 Replies)
Discussion started by: jOOc
3 Replies

9. Shell Programming and Scripting

Implications of setting sensitive data in ENV

Hello people, In shell scripts if some sensitive data is set into the env so that it is available to other scripts called within those scripts -- Are there are security implications ? -- I believe the scope of those environment variables ends with the execution of the script. -- I see that... (4 Replies)
Discussion started by: tipsy
4 Replies
Login or Register to Ask a Question

LEARN ABOUT CENTOS

pam_ssh_agent_auth

pam_ssh_agent_auth(8)							PAM						     pam_ssh_agent_auth(8)

PAM_SSH_AGENT_AUTH
       This module provides authentication via ssh-agent.  If an ssh-agent listening at SSH_AUTH_SOCK can successfully authenticate that it has
       the secret key for a public key in the specified file, authentication is granted, otherwise authentication fails.

SUMMARY

       /etc/pam.d/sudo: auth	sufficient     pam_ssh_agent_auth.so file=/etc/security/authorized_keys
       /etc/sudoers:
	    Defaults	env_keep += "SSH_AUTH_SOCK"

       This configuration would permit anyone who has an SSH_AUTH_SOCK that manages the private key matching a public key in
       /etc/security/authorized_keys to execute sudo without having to enter a password. Note that the ssh-agent listening to SSH_AUTH_SOCK can
       either be local, or forwarded.

       Unlike NOPASSWD, this still requires an authentication, it's just that the authentication is provided by ssh-agent, and not password entry.

ARGUMENTS

       file=<path to authorized_keys>
	   Specify the path to the authorized_keys file(s) you would like to use for authentication. Subject to tilde and % EXPANSIONS (below)

       allow_user_owned_authorized_keys_file
	   A flag which enables authorized_keys files to be owned by the invoking user, instead of root. This flag is enabled automatically
	   whenever the expansions %h or ~ are used.

       debug
	   A flag which enables verbose logging

       sudo_service_name=<service name you compiled sudo to use>
	   (when compiled with --enable-sudo-hack)

	   Specify the service name to use to identify the service "sudo". When the PAM_SERVICE identifier matches this string, and if PAM_RUSER
	   is not set, pam_ssh_agent_auth will attempt to identify the calling user from the environment variable SUDO_USER.

	   This defaults to "sudo".

EXPANSIONS

       ~  -- same as in shells, a user's Home directory
	   Automatically enables allow_user_owned_authorized_keys_file if used in the context of ~/. If used as ~user/, it would expect the file
	   to be owned by 'user', unless you explicitely set allow_user_owned_authorized_keys_file

       %h -- User's Home directory
	   Automatically enables allow_user_owned_authorized_keys_file

       %H -- The short-hostname
       %u -- Username
       %f -- FQDN

EXAMPLES

       in /etc/pam.d/sudo

       "auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys"
	   The default .ssh/authorized_keys file in a user's home-directory

       "auth sufficient pam_ssh_agent_auth.so file=%h/.ssh/authorized_keys"
	   Same as above.

       "auth sufficient pam_ssh_agent_auth.so file=~fred/.ssh/authorized_keys"
	   If the home-directory of user 'fred' was /home/fred, this would expand to /home/fred/.ssh/authorized_keys.  In this case, we have not
	   specified allow_user_owned_authorized_keys_file, so this file must be owned by 'fred'.

       "auth sufficient pam_ssh_agent_auth.so file=/secure/%H/%u/authorized_keys allow_user_owned_authorized_keys_file"
	   On a host named foobar.baz.com, and a user named fred, would expand to /secure/foobar/fred/authorized_keys.	In this case, we specified
	   allow_user_owned_authorized_keys_file, so fred would be able to manage that authorized_keys file himself.

       "auth sufficient pam_ssh_agent_auth.so file=/secure/%f/%u/authorized_keys"
	   On a host named foobar.baz.com, and a user named fred, would expand to /secure/foobar.baz.com/fred/authorized_keys.	In this case, we
	   have not specified allow_user_owned_authorized_keys_file, so this file must be owned by root.

v0.8								    2009-08-09						     pam_ssh_agent_auth(8)