The author discusses the limitations of tools like sudo and doas that rely on setuid binaries for privilege escalation to run commands as root. A unique alternative explored is s6-sudod, which splits the program into a privileged server and an unprivileged client. The experiment involves using ssh locally to enable authorized users to run commands as root without privilege escalation. The root account is locked for security, and a dedicated SSH key is configured for authentication as root. The technique relies on OpenSSH for sensitive security details and can be easily configured on a new host. The author also discusses overcoming challenges with using socat and ProxyUseFdpass.
https://whynothugo.nl/journal/2024/06/13/ssh-as-a-sudo-replacement/