skip navigation

Using SSH agent for sudo authentication on Ubuntu

Robert Gauld (updated )

Thanks to a post at I got a starting point, however a few things didn't quite work out (I had to install checkinstall as a prerequisite and edit the client machine user's ssh config) so here's the adjusted instructions (updated Feb 2015). You can chckout the project on GitHub -

  1. Install from the PPA (
  2. Configure (server)
    1. Do this in a new root shell (so you can easily fix things if you break sudo's config) -> sudo -s
    2. Add to your /etc/sudoers file:
      1. Defaults env_keep += SSH_AUTH_SOCK
    3. Edit /etc/pam.d/sudo to look like the following (adding the bold line, position is important):
      1. #%PAM-1.0
        auth [success=2 default=ignore] file=~/.ssh/authorized_keys
        @include common-auth
        @include common-account
        session required
        session required
  3. Configure (client)
    1. Open ~/.ssh
    2. Add a host section for each host you want to connect to (don't use *)
    3. In each host section add ForwardAgent yes
  4. Test and Debug
    1. Force sudo reauthentication and see who you are (you should not be prompted for password):
      1. sudo -K
      2. sudo whoami
    2. If it doesn't work check that the SSH_AUTH_SOCK environment variable is being passed correctly:
      1. printenv | grep SSH
      2. sudo printenv | grep SSH
    3. Use the debug option
      1. Add debug to the end of the line added to /etc/pam.d/sudo
      2. Check the /var/log/auth.log file