No password not NOPASSWD sudo.

 

 

Fallout Vault Boy History - Official Mascot of Vault-Tec

 

What is Vault?

 

Vault is a tool created by HashiCorp that provides “Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.”

One common use of vault is to leverage the OTP token generation paired with the ssh engine to create a secure authentication solution for SSH access to servers.

If all of this is alien to you, then HashiCorp has excellent documentation and you can check out this link for a much more in-depth explanation of this. Because of this, I am not going to go into detail on what this is and how to set it up.

SSH OTP Workflow

 

TL;DR

Vault OTP ssh is set up by using a custom PAM configuration on the server, this same PAM configuration can be used for sudo to have OTP sudo access instead of configuring passwords for users.

Where does sudo come into this?

For people that are familiar with Vault OTP SSH and are using it on their servers currently, you probably have seen this set of instructions before:

https://learn.hashicorp.com/vault/secrets-management/sm-ssh-otp

Looking at this specific part of the above instructions:

 

 

So this provides a great password-less method of sshing into your servers, but once you are in as your user on the server, a common issue is engineers setting the NOPASSWD option for sudo because the users are not provisioned with a password or they still have to manage user passwords in order to sudo. With these two options commonly being adopted, there had to be a better option between the insecure and the redundant.

The fact vault used PAM sshd module for ssh authentication, I figured that there was no reason you couldn’t do the same thing for the sudo module. So I decided to try and see, taking a look at the sudo PAM module in /etc/pam.d/sudo:

#%PAM-1.0

auth       include      system-auth

account    include      system-auth

password   include      system-auth

session    optional     pam_keyinit.so revoke

session    required     pam_limits.so

 

I modified it in a similar manner as the instructions implied for ssh. I added the auth requisite and auth optional lines pointing to the vault-ssh-helper binary.

#%PAM-1.0

auth       required     pam_sepermit.so

auth requisite pam_exec.so quiet expose_authtok log=/tmp/vaultssh.log /usr/local/bin/vault-ssh-helper -config=/etc/vault-ssh-helper.d/config.hcl debug

auth optional pam_unix.so not_set_pass use_first_pass nodelay

account    include      system-auth

password   include      system-auth

session    optional     pam_keyinit.so revoke

session    required     pam_limits.so

session    include      system-auth

 

Boom! It worked like magic. Generate one token to get on the server and then when you need to sudo you can generate another token and enter it at the password prompt.

[test@myserv ~]$ sudo -s

[sudo] password for test:

[root@myserv ~]$

 

This is nothing mind-blowing, but I believe it is a slick way of maintaining password-less authentication on servers for both SSH and sudo. Just an extension to the existing functionality provided by vault.

4 years ago

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *