[lmz]

The sudo binary is suid root / privileged and is exposed directly to the untrusted user. If anything goes wrong inside of sudo (with the user's entire environment as the surface area), it may be exploited.

The ssh approach does not expose a suid binary. Instead it uses the ssh network layer so it is no less secure than accessing ssh over a network, which is considered pretty secure.

[Sparkyte]

I would assume if you has to use SSH or sudo you've already lost. I've been working with people where we just completely lock down the VM or Container. They only allow necessary flow of traffic and are managed entirely from golden builds. If you need to make changes or fix something it is a new vm or container.

[gunapologist99]

This premise is incorrect: SSH doesn't need to be an suid binary because it's already running as root, and then SSH creates a new environment for the user, exactly like sudo does, but with all the added complexity and overhead (and surface) of privileged network access.

To be clear, I love SSH and we even run a userify instance to distribute keys, but juts comparatively the surface area of the ssh daemon alone is greater than sudo alone.

(however, even with the extra complexity, you might trust the history of portable OpenSSH more than sudo, and that's a good, but different, conversation to have also.)

[lmz]

But the area under control by the invoking user is data over one socket vs the whole calling environment e.g. environment vars, local files. Surely that counts for something.

[gunapologist99]

Unfortunately SSH has to do all that too. :(

[hughesjj]

...why not just su then?

[rpgwaiter]

root would need a defined password, which opens up other security concerns

[akira2501]

Even if you allow passwordless su for users in the wheel group?

[bdd8f1df777b]

That's extremely dangerous. Any software running as a wheel user can escalate privileges willy nilly.

[immibis]

they can also access your ssh private keys

[rascul]

In theory, those ssh private keys are password protected.

In practice, maybe not.

[ec109685]

They were stored in the user’s yubikeys (or similar) in this example.

[bogantech]

If you do that you deserve what you get

[djbusby]

Do what!?

[bobmcnamara]

plzno

[CaliforniaKarl]

We've got root passwords set on, IIRC, all of our systems. They're long, random, and can only be entered through the console on the VGA port or the IPMI console.

[lmz]

su is also a suid binary, no? It is probably a lot less complex than sudo.