Using SSH agent for sudo authentication on Ubuntu

Thanks to a post at http://www.drhevans.com/blog/posts/195-using-ssh-agent-for-sudo-authentication/ I got a starting point, however a few things didn't quite work out (I had to install checkinstall as a prerequisite and edit the client machine user's ssh config) so here's the adjusted instructions (updated Feb 2015). You can chckout the project on GitHub - https://github.com/cpick/pam-ssh-agent-auth

  1. Install from the PPA (https://launchpad.net/~cpick/+archive/ubuntu/pam-ssh-agent-auth)
  2. Configure (server)
    1. Do this in a new root shell (so you can easily fix things if you break sudo's config) -> sudo -s
    2. Add to your /etc/sudoers file:
      1. Defaults env_keep += SSH_AUTH_SOCK

    3. Edit /etc/pam.d/sudo to look like the following (adding the bold line, position is important):
      1. #%PAM-1.0

        auth [success=2 default=ignore] pam_ssh_agent_auth.so file=~/.ssh/authorized_keys

        @include common-auth

        @include common-account

        session required pam_permit.so

        session required pam_limits.so

  3. Configure (client)
    1. Open ~/.ssh
    2. Add a host section for each host you want to connect to (don't use *)
    3. In each host section add ForwardAgent yes

  4. Test and Debug
    1. Force sudo reauthentication and see who you are (you should not be prompted for password):
      1. sudo -K

      2. sudo whoami

    2. If it doesn't work check that the SSH_AUTH_SOCK environment variable is being passed correctly:
      1. printenv | grep SSH

      2. sudo printenv | grep SSH

    3. Use the debug option
      1. Add debug to the end of the line added to /etc/pam.d/sudo

      2. Check the /var/log/auth.log file

Tags: