I’m trying to build sudosh under FreeBSD (11.0-REL). Before contemplating any external builds, I routinely install the following packages (which many other github ports rely on for builds):

pkg install -y autoconf automake m4

I’m getting the following error during make of sudosh:

make: "/usr/share/mk/sys.mk" line 424: Cannot open /etc/make.conf
make: Fatal errors encountered -- cannot continue

The stock FreeBSD does have sys.mk files in various places:

% locate sys.mk
- /usr/share/mk/bsd.sys.mk
- /usr/share/mk/meta.sys.mk
- /usr/share/mk/sys.mk

Can someone help me with the make? The Makefile doesn’t reference sys.mk - the reference seems to be coming from somewhere else (perhaps one of the nasty curl auto-includes).

Also, please note that the default installation (per the README.mc) expects to see:

• /etc/sudoers.d/sudosh
• /usr/bin/sudoreplay

… and the politically correct place for these on FreeBSD is:

• /usr/local/etc/sudosh.conf (if you want a config independent of sudo's config)
• /usr/local/etc/sudoers (if you want to share sudo's config)
• /usr/local/bin/sudoreplay (default baseline installation location)

In addition, I'm curious what the default log location is for this binary.

Hello!
Can I utilize this tool with central user management (LDAP) instead of local user management?
If yes, what would you recommend for the implementation then?

THX

Hi there,

I'm trying to use this with my own Bastion host (unfortunately I can't use cloudposse/bastion). I want to be able to use the ProxyCommand so that I can pass my private key through to the target host, however if I do this, the sudo logs are encrypted.

I'm using the following ssh config:

HOST remote-server
  IdentityFile ~/key.pem
  ForwardAgent yes
  ProxyCommand ssh ec2-user@bastion-ip nc %h %p

I've also tried the ProxyCommand with -W but this seems to require turning on AllowTcpForwarding and nothing is captured in the sudo logs.

Cheers

what

• Convert README.md to README.yaml

why

• So we can better integrate with all of our other repos
• Consistency

I'm not asking you to do anything with this but I suppose you should know (if you didn't) that sudosh was already used by some projects earlier.
The original project was:
https://sourceforge.net/projects/sudosh/
Looks like it was picked up by commercial company and some forks established then:
https://github.com/squash/sudosh2
https://github.com/asquelt/eas

I'm just letting you know. Owners may ask you to change your project name eventually.
Well, a new name could be simple gosudosh ;)

First, I like how you do the markdown generation from YaML. I need to look into using that :)

The reason I opened this is because it seems the documentation added as a result of the discussion here seems to have been lost at some point- there is no mention of it any longer. Maybe it was lost when the switch to YaML was made? Or were those caveats (and respective mitigations) intentionally removed?

I just wanted to make sure if the removal was unintentional that it come to your attention. Personally I still think think use of RequestTTY=no / -T by SSH clients is a major blindspot for sysadmins- a subset of which are certainly users of sudosh. Because there is a mitigation (not just "best-effort") I feel it's important to document

I understand that it can be said to SSH and not request a TTY is simply deliberate bad behavior in a sanctioned environment and that users at some point must be trusted to follow procedures- but it's actually very easy to do this unintentionally, as mentioned in the original issue, using ssh host bash- since that implicitly sets the ssh flag to not request a tty.

It's also generally (and unfortunately, in this case) the modus operandi of attackers (red-teams or "real" attackers) to use SSH in this way, simply because it doesn't create an entry in UTMP/WTMP. An attacker might subvert sudosh completely by dumb luck if the sysadmin wasn't aware of the issue and did not apply the necessary mitigation

Using the mitigation recommended in the previous issue (essentially requiring TTY allocation on the server-side) will break scp - but it will not have any adverse effect on sftp since (as you probably know, but many users may not) SFTP uses a channel type different than those for SSH commands

FWIW, scp is (I believe) officially on its way to deprecation, both for security reasons and for overall "it's a hack long overdue to die" reasons- see here and here

Thanks for your work on this project, it's a really effective open-source solution for a very real and common problem- and it's easy to use

EDIT: I'm on mobile, so maybe the caveats are somewhere I'm not seeing. If that's the case, my apologies

Hello devs,

I wanted to just point out something that you may know, but that users may not. For complete and secure logging, it is not sufficient to simply set the user shell to sudosh. You must either use ForceCommand or a bastion that disallows users from invoking SSH directly. Otherwise you have the issue of the following session on somehost going (partially) unaudited:

$ ssh user@somehost bash

In this case, even though the user's shell may be set to sudosh, the only things that will be audited are the initial invocation of bash and the stdout/stderr of the bash shell that was invoked. The stdin of the bash session will not be logged, based on my (limited) testing. Apologies if I made a mistake in testing, but this is what it looks like to me

References to ForceCommand and a bastion host are made in the documentation, but I feel that the documentation doesn't do a great job in pointing out this "bypass" (albeit partial) of session logging.

Maybe I am just not reading the README carefully enough, but it seems like this specific case should be called out as a common pitfall as I think a lot of system administrators overlook things like this, unless they have experience in doing basic subversion testing

Feel free to close this with comments if you feel that this is common knowledge and not a risk. Alternately, maybe you can update the README, or invite a PR to improve the README. I just wanted to make sure there was awareness around this common mistake that syadmins tend to make. I've seen this sort of mistake in several environments, not with sudosh, but with similar tools

Thanks

Hi!

I recently implemented sudosh on a couple of CentOS boxes with the requiretty setting in sudoers. However, this breaks scp and rsync. Is there a way to make those work again? I feel there has to be a combination of sudo rules that allow it.

Anyone any idea?