![]() If keys can be compromised without stealing them, then SSH has much bigger problems, and the only place to steal them from is the credentials store, which would have both key and password. Now, I'm not arguing against supporting sudo with password, but I just don't see how it would add much security. If someone compromises the Veeam server enough to acquire this key, they will easily be able to acquire the sudo password as well since they will be stored in the same place. The private key used for this service should be protected by a passphrase, and should exist nowhere except in the encrypted credentials store. However, the Veeam server is not a normal interactive user, it's a service, and thus, it is required to store both the key and the password in the credentials store. ![]() However, if I have stored the password anywhere on the system, then they do have both key and password and it's not really 2FA anymore. If you want to enable this for a group, use the following syntax: GROUPNAME ALL (ALL:ALL) NOPASSWD:ALL. They will need to perform other techniques (keylogging, etc) to attempt to get the password. In this syntax, the important part of this line is the NOPASSWORD part, it essentially allows ALL (only pratham) to run the sudo command without password. ![]() I've played with the Defaults entry in my /etc/sudoers file.īut the question is, how is the private key going to be compromised if setup correctly? For a normal interactive user, it's 2FA because it's a thing you have (the key) and a thing you know (the password), if my machine is compromised and someone gets the key (assuming I've stored the key without a passphrase, already bad practice), they still don't know the password, which is hopefully only in my head. Mar 19 15:23:53 : XXXX : 3 incorrect password attempts TTY=unknown PWD=/home/XXXX USER=root COMMAND=/usr/bin/id -u Mar 19 15:23:57 testvm-2 sshd: pam_unix(sshd:session): session closed for user XXXX Mar 19 15:23:57 testvm-2 sudo: pam_unix(sudo:auth): auth could not identify password for Mar 19 15:23:57 testvm-2 sudo: pam_unix(sudo:auth): conversation failed In the Linux VM syslog shows me these messages Sudo: no tty present and no askpass program specified 3:23:53 PM :: Testing SSH credentials for: XXXX Error: Failed to run command with sudo: no tty present and no askpass program specified Receive this error on all my Linux guests. Turned on Guest processing and Enabled guest file system indexing for all my Ubuntu linux systems (12.04 and 14.04).Įntered my Guest OS credentials and click Test Now.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |