Pam ssh agent auth
This is useful for those who are not happy with completely passwordless sudo, but do not want to be frequently typing passwords.
emerge --ask pam_ssh_agent_auth
This PAM module does not support FIDO2 keys.
Create SSH keys
Have each user that would like this capability to follow the guide on the SSH page to create SSH keys.
PAM sudo file
Configure sudo to try using public keys, then fall back to normal password authentication:
auth sufficient pam_ssh_agent_auth.so file=/etc/ssh/sudo_authorized_keys
auth include system-auth
account include system-auth
session include system-auth
Configure sudoers to preserve the environment variable SSH_AUTH_SOCK:
Defaults env_keep += "SSH_AUTH_SOCK"
Add desired user's public key
Repeat this process for each user desired for sudo authentication:
cat /home/<user>/.ssh/*.pub >> /etc/ssh/sudo_authorized_keys
Extra: Launch ssh-agent at login
echo "ssh-add" >> ~/.bash_profile
- PAM — allows (third party) services to provide an authentication module for their service which can then be used on PAM enabled systems.