Ludovic Courtès writes: > SSH is a complex protocol and its implementations are complex too. I > would find it unreasonable to replace ‘su’ and ‘sudo’ with something > this complex, that goes through the TCP/IP stack, etc.
I agree. We could maybe have a pseudo-sudo service that is built just for this purpose though... let's call it "psudo". ;) Thinking out loud: So, you're running psudo, and this thing maybe accepts connections over something more secure, *maybe* unix domain sockets... so restrict group access to the socket to users in the "psudo" group. >From there, maybe it could require PAM authentication while entering the root password, or something. It feels hard to know how psudo could "know" what user is accessing the socket... I don't think that information is made available, right? Maybe I'm wrong! I guess postgres and etc do similar things? Fun idea to think about anyway :)
