I an using Putty to login via SSH to various Linux machines (mostly CentOS and Ubuntu). I use SSH key authentication, whereas the key ist stored in Keepass 2.x and handed over to Putty via tha Keeagent plugin (basically a replacement for pageant). Works fine so far.
But when logged in, using sudo
requires me to enter the password. Is there a way around it? So, when logged in via SSH key, no password should be needed for sudo?
There is this very similar question from 6 years ago: sudo: don't ask password when logged in with ssh key
. The given answer is not realy an answer but a work around to use ssh key login and log in with root directly. There are various reasons not to do that.
Best Answer
If you can use SSH agent forwarding, there actually is a way:
pam_ssh_agent_auth.so
(source here) is a PAM module that can do what you ask. It's available in Debian and Ubuntu as packagelibpam-ssh-agent-auth
and as CentOS packagepam_ssh_agent_auth
.Security Considerations
You should evaluate the risks of using SSH agent forwarding, as the developer says:
If you make sure your KeeAgent has the option Always require confirmation when client program requests to use key set, this even offers you a degree of protection against someone else with root access on the remote host: if you get a SSH key request confirmation dialog with no obvious reason, you'll know that someone is trying to abuse your SSH agent connection.
If you also make sure you'll always lock your KeePass and/or workstation screen when you step away from it, I think this should offer pretty good security; it's certainly more secure than using
NOPASSWD
insudoers
. It is also better than allowingroot
logins with ssh keys only and adding everyone who is allowed to log in as root to root'sauthorized_keys
file because it maintains the advantages of sudo.Usage
To use it, you basically add this as the first
auth
line in/etc/pam.d/sudo
:A simple sed command to do this (adds it to the second line, since the first is a comment):
Then add the public SSH keys of users that should be authorized to use SSH-authenticated
sudo
to/etc/security/authorized_keys
in the usual single-line OpenSSH compatible format.Then configure sudoers to preserve the environment variable
SSH_AUTH_SOCK
by editing the sudoers file (usevisudo
). Add this line to the section with the otherDefaults
.Then, you need to make sure that your ssh client allows agent forwarding. In PuTTY you need to check this:
While testing this, don't forget to terminate your sudo sessions with
sudo -k
.