Clarify interaction with sudoers file about pam-ussh HOT 3 OPEN

Im not sure it ties together this easily.

Even though you have a ssh cert, singed by a CA which a destination machine may be configured to trust, if your linux user account does not exist on the machine you wont be able to login (granted I think there may be other pam modules to create accounts in this situation on the fly).

Additionally, along with your linux account is your linux group configuration, these are the groups sudo references. Is is not aware of your ssh cert principals. when running a sudo command, sudo offloads authentication to pam which has your ssh CA config. which is more or less pass/fail based on conditions.

In my experience i've seen IDM/IDP/LDAP/kerberos systems bridge this gap where linux user accounts, groups, and sudo config are deployed across an org from central tooling and the CA just for auth/creds.

there are products like https://goteleport.com/ which do alot of this out of the box.

from pam-ussh.

Thanks @bcg62 for the response.

But it's left me more confused. I knew of the LDAP/IDM solutions, for complicated non-technical reasons I have limited ability to use them - why I was investigating pam-ussh.

The users and groups I'm already using to control sudo privileges.

Given what you've said, I'll turn my question around: what "value add" does pam-ussh provide over users and groups? If I have a user I'm already granting access to the host and sudo abilities (via either their username or group), what benefit do I get from using pam-ussh?

The use I'd expected was I was thinking I could make use of two additional benefits ssh certificates provides: validity window and principals.

For example, I was hoping I could have a sudo rule that said a principle (like "allowed_root") could become root. Then I could have a permanent sudo rule (like I mentioned above) and when someone needs sudo access during a change window, we'd sign their key giving the certificate both the principal and a validity of the change window. Thus permitting them sudo access only for the duration of their change and without any updates to /etc/sudoers.

If that's not the expected use case, if a user is already granted access to a host, what additional benefit do I get from using pam-ussh to authorise sudo permissions?

[apologies for taking so long to reply, I forgot to turn on notifications for the thread]

from pam-ussh.

For example, I was hoping I could have a sudo rule that said a principle (like "allowed_root") could become root.

it's been a while since i've used pam-ussh in production, but I would suggest implementing this with a sudoers rule of

%allowed_root ALL=(ALL:ALL) ALL

and then putting your user(s) in the allowed_root group.

the confusion might arise from an assumption that pam-ussh reads /etc/ssh/sshd_config and parses things like authorized principals files. it doesn't

Given what you've said, I'll turn my question around: what "value add" does pam-ussh provide over users and groups? If I have a user I'm already granting access to the host and sudo abilities (via either their username or group), what benefit do I get from using pam-ussh?

sshd only checks certificate validity when a user authenticates to a host. if you're expiring ssh user certificates (and if you're using certificates for user authentication, you are making them expire right?), it's quite possible that you will have users running on hosts long after their authentication credentials expired. pam-ussh allowed me to ensure that anyone trying to run a privileged command had recently authenticated.

from pam-ussh.