An awesome way to sudo

Hi everyone.
I have a cool toy I thought I wanted to share, and I need to test some dictation tools, so here goes! I hope you like it :slight_smile: I go into a lot of detail here, but don’t be put off, it’s all pretty simple. I just didn’t want to leave anything out.

TL;DR: Simply hit enter or space, or click a GUI button, to securely authenticate to sudo, by using pam_ssh_agent_auth and friends.

Example screenshots:
Using sudo in the terminal:


Saving a file in (patched) Kate, to a folder owned by root (it was /):

Not pictured: Uses the DE’s audio notifications to grab your attention when it pops up :musical_note:
Boring fallback terminal prompt (you know what text looks like, right? :laughing: )

My motivation:
I have long been dissatisfied with privilege authorisation on linux desktops. Using sudo is a sub-par experience. You essentially have three options:

  • Type your password every time, which is annoying, unless you have a very simple password, which is insecure.
  • Type your password never, which is insecure (and extremely common, Hi NOPASSWD users!).
  • Type your password every x minutes, which is often the default, and is cool until it is annoying and insecure - If you’ve cached credentials, it will happily sudo rm whatever you accidentally paste in there… But if you open a new terminal, yep, time to type your password in, again.

Dare I say it, Windows handles this well. When something needs ‘root’ (Administrator) permissions, it pops up a simple, secure GUI prompt asking you if that’s OK with you. You just hit enter, or click OK, and you’re good. Or, deny it, if you did that by accident, or it’s not you, or whatever.

I wanted a secure way to get that same level of ease-of-use, and I’m there, and I really really dig it, and I don’t see anyone talking about it, so… I’m gonna do it.

The toolchain:
There are a few small parts that work together to give this experience. This definitely feels like The Unix Way :grin: I’ll just gloss over how it works. Let’s start with the interface:

ksshaskpass. This tool is intended to provide a way to enter a password to an ssh key, but here, we can use it to give us a simple ‘OK/Cancel’ type of prompt. It works in our KDE GUI, and if we’re in a terminal, it will fall back to the terminal-based sshaskpass. Gnome has gnome-ssh-askpass which I haven’t tried but I’m sure will also work.

ssh-agent is the tool which calls ksshaskpass. This ssh agent, holds your private key, and when you attempt to authenticate to ssh, it will match the key from your agent, to the ssh public key, and let you log in if you’re allowed.

pam_ssh_agent_auth is the secret sauce that ties this together. Everything else you need is probably already installed. This is a plugin module for PAM, which is the tool that does all the authentication for our system. All of the above tools, are intended for logging into ssh servers, but, we can use them to login to shells on our system, by using this.

ssh-add, kwallet, keepassxc, you name it… We can use a tool of our choosing, to add the key to the agent. ssh-add is the stock CLI tool, and kwallet for the GUI, but personally, I’m using keepassxc. When I unlock my keepass database, it adds the key from the database to the agent.

So now, after we unlock our password database/wallet/keychain/whatever, we sudo, and it tries to authenticate us, uses PAM to do that, PAM tries to authenticate us by using pam_ssh_agent_auth, which contacts our ssh-agent which holds our keys, which asks us for confirmation to allow use of the key using ksshaskpass.

It’s all as secure as ssh keys are, and we get a nice GUI or CLI prompt, easy to confirm by slapping enter or space bar, or whoops out of it by hitting esc. If this fails for whatever reason, no biggie, it just falls back to prompting us for our password exactly like normal.

A nice plus to this is that it’s not just authenticating us for sudo, because it’s using PAM it’s as good as our password for any login we make. So, we can use it for other similar tools, PolicyKit’s pkexec, KDE’s kdesu, or Gnome’s gksu. So, it works for all our GUI and CLI tools.

There is a catch to this last part: policykit, for reasons of security, clears the environment variables of the system in the process which authenticates the user. ssh-agent uses a socket for communication with other applications, and the location of that socket file is stored in the environment. This means that when pkexec runs pam_ssh_agent_auth, it can’t find the ssh agent, so it fails, and we still have to type our password. There is a solution to that, which is a patch to pam_ssh_agent_auth, which allows us to specify a default path to use, when the environment variable is not present, to find the ssh-agent socket file. The patch is in their github repository upstream, I’ve packaged it for TW and it’s working well. I recommend it, but it’s not needed, to get this working with sudo, which is the lion’s share of our need. The openSUSE Factory version of pam_ssh_agent_auth works fine for that.

HOW TO:
I can’t dictate this last part and I’ve talked enough already :no_mouth: so I’ll mostly just copy-paste my instructions here. I hope the above will serve to explain what each of these steps does.

Disclaimer: While I’m confident that this is all working and safe, you’re messing with the ability to authenticate as root, here. Please take appropriate precaution. If a disaster happens, just login to the emergency console using the root password and delete the files you created here, and it’ll be back to normal. We don’t change anything here, only add stuff on top.

Create the SSH key for authentication

ssh-keygen -f pam_key -C "for superuser access" -N ""
sudo cp pam_key.pub /root/.ssh/authorized_keys_pam

The private key will be there in your working directory. Be careful with that, it’s effectively as good as knowing your root password.

Add the key to keepassxc
There are tutorials elsewhere on how to use kwallet or ssh-add for this. Same can be said for keepass, so I’ll gloss over this part:

Open up keepassxc, create an entry, go to the ‘Advanced tab’, and Add an attachment, add both of the pam_key files there. Then, go to the ‘SSH Agent’ tab, select the pam_key file as an attachment for the private key. Make sure the three boxes are ticked up the top (Add key, Remove key, Require user confirmation…).

Install the PAM module

sudo zypper install --recommends pam_ssh_agent_auth

If you’re adventurous, you might like to branch my patched branch of this tool so that it works with PolicyKit

Set the environment variable at login
This works for KDE. You could use the profile or whatever is most appropriate for your system.

sudo mkdir -p  /etc/xdg/plasma-workspace/env/ && \
echo 'export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"' | sudo tee /etc/xdg/plasma-workspace/env/ssh-agent.sh

Start the SSH agent at login
There are simpler ways to do this, but this is nice, because we can manipulate the agent more easily.
This is a multi-line paste, copy-paste the whole block:

echo '[Unit]
Description=OpenSSH key agent
Documentation=man:ssh-agent(1) man:ssh-add(1) man:ssh(1)
After=xdg-desktop-autostart.target
# export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"
ConditionEnvironment=SSH_AUTH_SOCK

[Service]
ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK
SuccessExitStatus=2
Type=exec

[Install]
WantedBy=xdg-desktop-autostart.target' | sudo tee /etc/systemd/user/ssh-agent.service

Then

systemctl --user daemon-reload
systemctl --user enable ssh-agent.service

Configure sudo
We want sudo to ask us every time, and to remember the path to the ssh agent when it does:

echo 'Defaults     timestamp_timeout = 0, env_keep += "SSH_AUTH_SOCK"' | sudo tee /etc/sudoers.d/pam_ssh_agent_auth

Configure PAM
Note that here, we add a line for pam_ssh_agent_auth, and then a bunch of ‘include’ directives. Those use the stock settings, which will be the fallback if our setup here doesn’t successfully authenticate.

These are multi-line pastes, copy-paste the whole of each block:
First for PolicyKit, IF you are using the patched version of pam_ssh_agent_auth (otherwise this part won’t work and you’ll still have to type a password):

echo "#%PAM-1.0

auth     sufficient     pam_ssh_agent_auth.so file=/root/.ssh/authorized_keys_pam default_ssh_auth_sock=/run/user/%U/ssh-agent.socket
auth     include        /usr/lib/pam.d/polkit-1
account  include        /usr/lib/pam.d/polkit-1
password include        /usr/lib/pam.d/polkit-1
session  include        /usr/lib/pam.d/polkit-1" | sudo tee /etc/pam.d/polkit-1

Next for sudo:

echo "#%PAM-1.0

auth     sufficient     pam_ssh_agent_auth.so file=/root/.ssh/authorized_keys_pam
auth     include        /usr/lib/pam.d/sudo
account  include        /usr/lib/pam.d/sudo
password include        /usr/lib/pam.d/sudo
session  include        /usr/lib/pam.d/sudo" | sudo tee /etc/pam.d/sudo

That’s it! you’re done, give it a reboot and enjoy secure and convenient root permission.
If you hate it, just delete the config files we created with sudo tee in the steps above.

If you have ideas to improve upon this, please do share them with us :slight_smile: Some of this is openSUSE-specific (my patched package) and it does lean towards KDE because that’s what I use, but it should work pretty much as-is, anywhere, so please do feel free to post this anywhere else that it might be interesting or helpful to people.

I think that adding pam_ssh_agent_auth to a distro is a straight upgrade to the typical linux desktop authentication scheme, and hopefully if enough people find this useful, we might even see distros make something like this, the default. I hope you like it, too!

3 Likes

If i understand this right, “after we unlock our password database/wallet/keychain/whatever” in the morning once, everybody with access to your keyboard can gain root privileges by clicking “Accept”.

So this a heavy decrease in security in comparism to the normal way that sudo “forgets” your password after some seconds/minutes.

If you have to do work which requires longer lasting authentication, use su -
If you want only a short lasting authentication , use sudo. (the way how sudo is defined on openSUSE)
→ secure and tested ways to gain elevated user rights

Do i miss something here?

1 Like

Why not using

su -

I am using KDE and it has from the main menu → System → Terminal - Super User mode, which does just that.
I never used sudo .

3 Likes

I think so - you can configure your password manager (or whatever adds the key to the agent) to remove the key after a certain time-frame, also. This is the reason why we need that one step where you tick the “Remove…” box in keepassxc. When we lock the database, or it is locked after inactivity, the key will be removed from the agent, and a malicious user sitting at our desk will need to know the password.

Also, since we’re using a fancy password manager, we can do things like unlocking/locking it with a hardware key, with a keyboard shortcut, with a script, by bluetooth proximity, when we close the lid on our laptop, etc.

I think that if we have a malicious user at our desk when we’ve left our keyring unlocked, we probably are in trouble, regardless. But there are lots of good ways to make sure the keys aren’t in the ignition when we go for a walk :slight_smile:

Solutions like this fall into the “Type your password never” (insecure) category. We now have a shell where we are root, and we will get to act like root, without any further confirmation. Accidentally paste in a bunch of dangerous stuff? It’s gonna be root when it runs. Avoiding something like that, is one of the motivations for this solution.

Also, you can’t use that to ‘Save As’ a document from Kate, or to escalate to root to copy your user’s DE theme to the SDDM login in KDE’s settings, etc etc.

Now that I think of it, I really should add to this, so that this works for su like it does for sudo. sudo su works for that purpose, for now.

1 Like
echo "#%PAM-1.0

auth     sufficient     pam_ssh_agent_auth.so file=/root/.ssh/authorized_keys_pam
auth     include        /usr/lib/pam.d/su
account  include        /usr/lib/pam.d/su
password include        /usr/lib/pam.d/su
session  include        /usr/lib/pam.d/su" | sudo tee /etc/pam.d/su

Works :slight_smile:

The administrator of a system should know what he is doing, regardless if he uses su - or sudo. If it is a 3 year old who needs to be reminded not to paint on the wall with his crayons…he should stay away from any computer system :wink:

Thats why stuff like /usr/bin/xdg-su exists…

Even pros make mistakes. Typos happen, cats walk on keyboards :joy_cat: This stops them from being a disaster. For everyone who isn’t a pro, this makes them not need to be one. Also they can not worry about their pets :smiley:

That falls into the “type your password every time” (annoying) category.

The real question (and reason for the likes of sudo) is what necessitates a standard user to perform a ‘root’ user task?

That’s why you also have groups, ACL’s etc. For example looking at the complete journalctl output as a user, add to the systemd-journal group. Create your own groups etc?

In day to day activities I would not expect to be doing anything as root user, aside from package management for updates/upgrades, even that is automated in the likes of Aeon.

But as an aside, that’s the good thing about linux, you get to choose how things are done on your system, the way you want to :smile:

This does not provide a notification to the user that something is about to run with elevated permissions, and provide them opportunity to stop it before it happens. That’s “type the password never” category.

For all those other times, this makes it better :slight_smile:

You are talking nuts. People seem to type sudo for before everything they do and pasting after typing it is creating the same havoc. It is the insecure behaving that creates the problem.

Things you should not do either. As root, use a CLI editor (I will not try to advice vi , but there are others).
And a users DE theme is NOT a system wide theme for anything.

And, after all, how often does you really need "to be root "?
In my day to day life, I more often use root to check problems here on the forums. I do not need to change the systems I manage all of the time. Once ready for use: never change a running system.

1 Like

But why save as? Save as your user, the use install as you can also set file permissions or cp ar etc Likewise, this sort of thing is a one off during system setup? Or are we talking about changing the flavor every other day?

The only thing I use as a GUI is YaST on occasions and even then in a terminal it runs a ncurses version…

For user config changes, that can all be done in ~/.config ~/.local etc to override system defaults.

You are talking disrespectfully.

While yes, the machine won’t make mistakes like this without operator error, suggesting that users shouldn’t paste into their terminal or ever make mistakes, seems to be trying really hard to find reasons to dislike this for no reason.

Yes, it would totally be better if people were perfect. Since we aren’t, this is an upgrade.

There’s no harm in saving a file as root.

Perhaps you are unfamiliar with the feature I referred to. su can’t do this:

Whatever our answer to that, it’ll be better when we do, with this addition.

Don’t like it? Just don’t add the key to the agent. Then it will be just as it was without. For the people who do “need to be root” often, or just want it to be better when they do, they can add the key.

Damn, did I post on International Haters Day or is it usually like this around here?

1 Like

Not at all, your system, your workflow etc :wink: Remember you have posted your method other users may wish to use. These are just observations as to why, why not etc.

For me, I don’t use sudo, well one application build, and for that I just have a drop in called /etc/sudoers.d/01-build containing username ALL = NOPASSWD: /usr/bin/build no password needed… Created as my user and installed with install as root user in a terminal :wink:

It is in short what I think of it. I can of course make a whole story, but that would in the end mean the same.

I guess the main problem here is not that you invented this, nor that you published it. After all every body to his/her own devices. But the fact that you value it as “awesome” will without doubt loosen reactions of those that find it less useful in the scale of "security ←→ convenience.
If only because people new to Unix/Linux might think it is a good idea without thinking over it further. They should be aware that there are different opinions bout this.

To summarise: the way shown seems another way of doing something that can be done just as safely in other, “conventional” ways.
If you have elevated user rights (it doesn’t matter how you got them), you can destroy your system. This new way doesn’t prevent it. root/su/sudo has to know what he is doing. If he doesn’t know he hopefully has some backups,

For sure an interesting approach. But not suitable for every system administrator or use case.

I feel like the answers to this are kinda obvious. Those buttons in our editors do exist for reasons. Am I misunderstanding the question?

This works in the terminal, too, it just calls sshaskpass instead of ksshaskpass. ssh-agent takes care of all that, and behaves like normal.

GUIs are a thing that many other people do use frequently, though.

I’m sorry, I don’t understand this question. Are you saying that it’s something we rarely use? I mean, I literally just used it to fix a typo in the PAM config for su that I pasted above. I guess if I weren’t the type of person to use this so often, I’d appreciate it less often, but I’d still appreciate it when I do use it!

I’m aware, but the reason why I used /etc/ rather than ~/ is so that this can work for all users on the machine, likewise, the use of % expansion in PAM configs.

Seems they’re all observations as to why not.

My grey hairs come from a time that gave me appreciation for the power of the terminal, but as a guy still (barely) living in the 2020’s, I do also appreciate a GUI.

Fortunately for both of us, pam_ssh_agent_auth works with both, and if it’s set up, it works, only if you want it to :slight_smile: What’s not to like?

I meant, why be root user in a GUI editor, any system configs etc are all created as my user, when necessary copied/installed into the root environment.

It pops up the simple prompt only when you are already Administrator. You cannot compare it with Linux because Linux does not have anything comparable.

If you want fair comparison, you need to log into Windows as plain non-Administrator user. In which case you must authenticate as Administrator user to elevate privileges. There is no provision to use your own password, there is no caching - you need to authenticate again every time.

That pop up can be disabled with User Access and wind the slider down :wink:

And your point is? You imply that Windows is less secure than Linux? Is there slider that I can wind up to achieve UAC for root on Linux?