I'd like to setup sudo
in such a way that it doesn't prompt me for a password when I authenticate to sshd
with a key; but do otherwise.
I don't want an answer of "it doesn't work like that" because obviously that's the reason why I asked the question in the first place. I don't want the suggestion of creating two users for this.
Consider that for my personal servers I use Fedora, maybe there might be a hack with a temporal SELinux role based on authentication method, which can be then used in the sudoers file?
Best Answer
Here is a paper that describes a possible implementation on BSD: https://www.usenix.org/legacy/event/lisa08/tech/full_papers/burnside/burnside_html/
It requires agent forwarding though, which I consider rather dangerous. Also, the site doesn't seem to link any sources or patches, and I don't think these changes have been implemented upstream.
It may also be possible to write a custom sudo auth plugin: http://www.opensource.apple.com/source/sudo/sudo-3/sudo/auth/API
Seems rather complicated to me though, and I don't know if it's even possible to query sshd whether public key authentication has been used.
If I were you I would just put my public key into
/root/.ssh/authorized_keys
and be done with it.