[LukeShu]

I think you misunderstood Perixoog's comment. Sudo uses PAM to ask for the password. pam_ssh_agent_auth is a PAM module that uses ssh-agent authentication instead of a password. Perixoog is saying that instead of setting NOPASSWORD, you could configure pam_ssh_agent in /etc/pam.d/sudo, and have it use the pre-existing SSH authentication as the "password", instead of having it prompt for a password.

But the part I'm concerned about is that they seem to think that having password-less sudo is a security win.

[Perixoog]

Yes, and yes.

The pam module requires you to forward a remote connection to your ssh agent - when you connect to a compromised server your attacker can authenticate to other machines as you.

An ssh key for root is simpler and safer.

[smhenderson]

But the part I'm concerned about is that they seem to think that having password-less sudo is a security win.

I thought they were saying they don't want people's passwords. People reuse them, naive people giving up an actual root password, etc.

Not sure they mean always using NOPASSWORD is good for security.

[LukeShu]

Sure, giving the password to an application is a mess. Because if the application is compromised, the attacker now has the application's sudo password (ie, the vuls user's password, not the root password), and that's a bad deal. But just having it NOPASSWORD wide open is strictly worse. A knee-jerk reaction is to avoid passwords because it's another attack surface that can be broken open, but in this case just getting rid of it is strictly worse. With SSH, disabling password auth is turning the locked door into a solid brick wall. With this, NOPASSWORD is taking the door off the hinges because you are afraid of someone picking it.