skip navigation

Using SSH agent for sudo authentication on Ubuntu

Robert Gauld (updated )

Thanks to a post at www.drhevans.com/blog/posts/195-using-ssh-agent-for-sudo-authentication/ I got a starting point, however a few things didn't quite work out (I had to install checkinstall as a prerequisite and edit the client machine user's ssh config) so here's the adjusted instructions (updated Feb 2015). You can chckout the project on GitHub - github.com/cpick/pam-ssh-agent-auth

  1. Install from the PPA (launchpad.net/~cpick/+archive/ubuntu/pam-ssh-agent-auth)
  2. Configure (server)
    1. Do this in a new root shell (so you can easily fix things if you break sudo's config) -> sudo -s
    2. Add to your /etc/sudoers file:
      1. Defaults env_keep += SSH_AUTH_SOCK
    3. Edit /etc/pam.d/sudo to look like the following (adding the bold line, position is important):
      1. #%PAM-1.0
        
        
        auth [success=2 default=ignore] pam_ssh_agent_auth.so file=~/.ssh/authorized_keys
        
        @include common-auth
        
        @include common-account
        
        
        session required pam_permit.so
        
        session required pam_limits.so
  3. Configure (client)
    1. Open ~/.ssh
    2. Add a host section for each host you want to connect to (don't use *)
    3. In each host section add ForwardAgent yes
  4. Test and Debug
    1. Force sudo reauthentication and see who you are (you should not be prompted for password):
      1. sudo -K
      2. sudo whoami
    2. If it doesn't work check that the SSH_AUTH_SOCK environment variable is being passed correctly:
      1. printenv | grep SSH
      2. sudo printenv | grep SSH
    3. Use the debug option
      1. Add debug to the end of the line added to /etc/pam.d/sudo
      2. Check the /var/log/auth.log file