Using SSH agent for sudo authentication

pam-ssh-agent-auth is a PAM module which allows you to use your SSH keys to authenticate for sudo. If you aren’t happy using completely passwordless sudo but don’t want to be typing passwords all the time this module provides a compromise.

There’s currently no deb package available (and my debian-fu isn’t quite up to creating one yet) but it’s fairly easy to build and configure manually.

1. Download

Grab the the source from SourceForge and extract:

wget "http://downloads.sourceforge.net/project/pamsshagentauth/pam_ssh_agent_auth/v0.9.3/pam_ssh_agent_auth-0.9.3.tar.bz2"
tar -xjvf pam_ssh_agent_auth-0.9.3.tar.bz2
cd pam_ssh_agent_auth-0.9.3

2. Dependencies

As well as the standard build tools (build-essential and checkinstall) you’ll need some header files:

sudo aptitude install libssl-dev libpam0g-dev

3. Build and install

Before building, we need to set a couple of configuration options: By default, the module will try to install itself in /usr/local/libexec whereas Ubuntu keeps its PAM modules in /lib/security. We also need to tell it that the man page is in NROFF format, not plain text.

./configure --libexecdir=/lib/security --with-mantype=man

Now we can build and install:

make
sudo checkinstall

As well as installing, checkinstall will spit out a deb package that you can use on other machines as long as they share the same architecture. (The package won’t include any dependency information but that isn’t required in this case.) It will also allow you to cleanly uninstall via aptitude remove.

4. Configure

We need to make three changes. First, copy your authorized_keys file into /etc/ssh/sudo_authorized_keys:

sudo cp ~/.ssh/authorized_keys /etc/ssh/sudo_authorized_keys

If there are other users who you want to be able to sudo using this mechanism you’ll need to append their authorized_keys to this file as well. It’s important that this file only be writable by root to prevent users just writing their own keys into this file and then using those to authenticate against.

Secondly, ensure that sudo passes on the SSH_AUTH_SOCK environment variable so PAM knows how to talk to your key agent. Edit your sudoers file (use visudo for this, it will stop you doing anything stupid) and add the following line:

Defaults env_keep += SSH_AUTH_SOCK

Thirdly, we tell PAM to use this particular module to authenticate for sudo. To do this, edit /etc/pam.d/sudo and add the line beginning auth (the order of these lines is significant):

#%PAM-1.0

auth [success=2 default=ignore] pam_ssh_agent_auth.so file=/etc/ssh/sudo_authorized_keys
@include common-auth
@include common-account

session required pam_permit.so
session required pam_limits.so

We’re configuring the module as follows:

success=2
On a successful authentication, skip the next two config lines i.e., don’t attempt the normal authentication mechanisms.

default=ignore
If anything else happens, carry on as normal so if your key isn’t available or the module breaks for any reason you can still sudo using your password.

file=/etc/ssh/sudo_authorized_keys
The file where the keys which grant sudo rights are stored.

For more details, see the documentation for PAM and pam-ssh-agent-auth (also try man pam_ssh_agent_auth).

5. Test and debug

Test by using sudo -K to force reauthentication:

sudo -K
sudo whoami

You should get the response ‘root’ without being prompted for your password. If not, check that your SSH_AUTH_SOCK is set and being correctly passed though by sudo:

printenv | grep SSH
sudo printenv | grep SSH

You can also add debug to the end of the auth line in pam.d/sudo and get more detailed information logged to /var/log/auth.log