Using SSH agent for sudo authentication on Ubuntu
(updated )
Thanks to a post at www.drhevans.com/blog/posts/195-using-ssh-agent-for-sudo-authentication/ I got a starting point, however a few things didn't quite work out (I had to install checkinstall as a prerequisite and edit the client machine user's ssh config) so here's the adjusted instructions (updated Feb 2015). You can chckout the project on GitHub - github.com/cpick/pam-ssh-agent-auth
- Install from the PPA (launchpad.net/~cpick/+archive/ubuntu/pam-ssh-agent-auth)
- Configure (server)
- Do this in a new root shell (so you can easily fix things if you break sudo's config) -> sudo -s
- Add to your /etc/sudoers file:
-
Defaults env_keep += SSH_AUTH_SOCK
-
- Edit /etc/pam.d/sudo to look like the following (adding the bold line, position is important):
-
#%PAM-1.0 auth [success=2 default=ignore] pam_ssh_agent_auth.so file=~/.ssh/authorized_keys @include common-auth @include common-account session required pam_permit.so session required pam_limits.so
-
- Configure (client)
- Open ~/.ssh
- Add a host section for each host you want to connect to (don't use *)
-
In each host section add ForwardAgent yes
- Test and Debug
- Force sudo reauthentication and see who you are (you should not be prompted for password):
-
sudo -K
-
sudo whoami
-
- If it doesn't work check that the SSH_AUTH_SOCK environment variable is being passed correctly:
-
printenv | grep SSH
-
sudo printenv | grep SSH
-
- Use the debug option
-
Add debug to the end of the line added to /etc/pam.d/sudo
- Check the /var/log/auth.log file
-
- Force sudo reauthentication and see who you are (you should not be prompted for password):