Pam ssh agent auth

From Gentoo Wiki
Jump to:navigation Jump to:search

pam_ssh_agent_auth is the PAM module that allows a locally installed SSH key to authenticate for sudo.

This is useful for those who are not happy with completely passwordless sudo, but do not want to be frequently typing passwords.



root #emerge --ask pam_ssh_agent_auth


This PAM module does not support FIDO2 keys.

Create SSH keys

Have each user that would like this capability to follow the guide on the SSH page to create SSH keys.

PAM sudo file

Configure sudo to try using public keys, then fall back to normal password authentication:

FILE /etc/pam.d/sudo
auth    sufficient file=/etc/ssh/sudo_authorized_keys
auth    include     system-auth
account include     system-auth
session include     system-auth

Configure sudoers to preserve the environment variable SSH_AUTH_SOCK:

FILE /etc/sudoers
Defaults env_keep += "SSH_AUTH_SOCK"

Add desired user's public key

Repeat this process for each user desired for sudo authentication:

root #cat /home/<user>/.ssh/*.pub >> /etc/ssh/sudo_authorized_keys

Extra: Launch ssh-agent at login

user $echo "ssh-add" >> ~/.bash_profile

See also

  • PAM — allows (third party) services to provide an authentication module for their service which can then be used on PAM enabled systems.