Setting up PAM sudo authentication, using ssh-agent, on 14.04.1-Ubuntu server LTS.
I'm still unable to successfully authenticate sudo, via the ssh-agent, using PAM.
Here are my relevant /var/log/auth.log entries…
Jun 17 11:31:16 host sudo[21318]: pam_ssh_agent_auth: Beginning pam_ssh_agent_auth for user userName
Jun 17 11:31:16 host sudo[21318]: pam_ssh_agent_auth: Attempting authentication: `userName' as `userName' using /etc/security/authorized_keys
Jun 17 11:31:16 host sudo[21318]: pam_ssh_agent_auth: Contacted ssh-agent of user userName (1000)
Jun 17 11:31:16 host sudo[21318]: pam_ssh_agent_auth: Failed Authentication: `userName' as `userName' using /etc/security/authorized_keys
As you can see, it successfully contacts the ssh-agent, but then authentication fails. PAM falls back to the next authentication method(s), and asks for the sudo/userName password, then I'm able to proceed. I'm trying to configure it, so that you don't need a sudo password, as long as you connect via ssh with an authorized key.
Here are the relevant files and their contents:
/etc/pam.d/sudo
#%PAM-1.0
auth sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys debug
auth required pam_env.so readenv=1 user_readenv=0
auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive
/etc/security/authorized_keys file information: This file contains 4 ssh-rsa public keys.
-rw-r--r-- 1 root root 1597 Jun 16 16:07 /etc/security/authorized_keys
/etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_keep += SSH_AUTH_SOCK
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
And, for sanity's sake, you can see the SSH_AUTH_SOCK is indeed being "passed up the sudo chain" correctly…
printenv | grep SSH
SSH_AUTH_SOCK=/tmp/ssh-m9Ume3GOIP/agent.15964
sudo printenv | grep SSH
SSH_AUTH_SOCK=/tmp/ssh-m9Ume3GOIP/agent.15964
I ssh into the server via
ssh -A host@ip_address
I'll include any other information that may be helpful, just ask 🙂
I've been at this for over a day, and I've found dozens of "howtos" to setup PAM sudo authentication using ssh keys, and they're all similar… but I can't find anything that might shine light on why the PAM authentication fails, after successfully contacting/communicating with the ssh-agent.
Thanks in advance!
UPDATE
ssh-add on the client side, was the trick. I'm not an "ssh power user", but this gives me what I need to figure out the root cause. Thanks!
Best Answer
Configuration is OK, but you need to have some identities in your
ssh-agentto be able to authorize thesudooperation. You can verify that your agent has some identities usingIt should print the public keys in your agent and at least one of them should match the public key on server in
/etc/security/authorized_keys.If the agent does not have any identities, you need to add them on your computer, again using
and insert your passphrase, if prompted.