Using SSH agent for sudo authentication13 March 2011
pam-ssh-agent-auth is a PAM module which allows you to use your SSH keys to authenticate for sudo. If you aren’t happy using completely passwordless sudo but don’t want to be typing passwords all the time this module provides a compromise.
There’s currently no deb package available (and my debian-fu isn’t quite up to creating one yet) but it’s fairly easy to build and configure manually.
Grab the the source from SourceForge and extract:
wget "http://downloads.sourceforge.net/project/pamsshagentauth/pam_ssh_agent_auth/v0.9.3/pam_ssh_agent_auth-0.9.3.tar.bz2" tar -xjvf pam_ssh_agent_auth-0.9.3.tar.bz2 cd pam_ssh_agent_auth-0.9.3
As well as the standard build tools (build-essential and checkinstall) you’ll need some header files:
sudo aptitude install libssl-dev libpam0g-dev
3. Build and install
Before building, we need to set a couple of configuration options: By default, the module will try to install itself in
/usr/local/libexec whereas Ubuntu keeps its PAM modules in
/lib/security. We also need to tell it that the man page is in NROFF format, not plain text.
./configure --libexecdir=/lib/security --with-mantype=man
Now we can build and install:
make sudo checkinstall
As well as installing, checkinstall will spit out a deb package that you can use on other machines as long as they share the same architecture. (The package won’t include any dependency information but that isn’t required in this case.) It will also allow you to cleanly uninstall via
sudo -sto root. Otherwise, if you balls up your sudo/PAM config you won't be able to get sufficient privileges to fix it, whereupon there will be wailing and gnashing of teeth.
We need to make three changes. First, copy your
sudo cp ~/.ssh/authorized_keys /etc/ssh/sudo_authorized_keys
If there are other users who you want to be able to sudo using this mechanism you’ll need to append their authorized_keys to this file as well. It’s important that this file only be writable by root to prevent users just writing their own keys into this file and then using those to authenticate against.
Secondly, ensure that sudo passes on the SSH_AUTH_SOCK environment variable so PAM knows how to talk to your key agent. Edit your sudoers file (use
visudo for this, it will stop you doing anything stupid) and add the following line:
Defaults env_keep += SSH_AUTH_SOCK
Thirdly, we tell PAM to use this particular module to authenticate for
sudo. To do this, edit
/etc/pam.d/sudo and add the line
auth (the order of these lines is significant):
#%PAM-1.0 auth [success=2 default=ignore] pam_ssh_agent_auth.so file=/etc/ssh/sudo_authorized_keys @include common-auth @include common-account session required pam_permit.so session required pam_limits.so
We’re configuring the module as follows:
On a successful authentication, skip the next two config lines i.e., don’t attempt the normal authentication mechanisms.
If anything else happens, carry on as normal so if your key isn’t available or the module breaks for any reason you can still sudo using your password.
The file where the keys which grant sudo rights are stored.
5. Test and debug
Test by using
sudo -K to force reauthentication:
sudo -K sudo whoami
You should get the response ‘root’ without being prompted for your password. If not, check that your SSH_AUTH_SOCK is set and being correctly passed though by sudo:
printenv | grep SSH sudo printenv | grep SSH
You can also add
debug to the end of the
auth line in
pam.d/sudo and get more detailed information logged to