Pam ssh agent auth

From Gentoo Wiki
Jump to: navigation, search

Introduction

The PAM module sys-auth/pam_ssh_agent_auth allows one to use a locally installed SSH key to authenticate for app-admin/sudo. This is useful for those who aren’t happy with completely passwordless sudo, but don’t want to be typing passwords all the time.

Installation

root #emerge --ask pam_ssh_agent_auth

Create SSH Keys

Have every user that would like this capability to follow the guide on the SSH wiki page and create the needed keys

Configure

Configure sudo to try using public keys, then fall back to normal password authentication

FILE /etc/pam.d/sudo
...
auth [success=3 default=ignore] pam_ssh_agent_auth.so file=/etc/ssh/sudo_authorized_keys
auth    include     system-auth
account include     system-auth
session include     system-auth
...

Configure sudoers to preserve the environment variable SSH_AUTH_SOCK

FILE /etc/sudoers
...
Defaults env_keep += "SSH_AUTH_SOCK"
...

Add Desired User's Public Key

Repeat this process for every user desired for sudo authentication

root #cat /home/<user>/.ssh/*.pub >> /etc/ssh/sudo_authorized_keys

Extra: Launch ssh-agent upon login

user $echo "ssh-add" >> ~/.bash_profile