Setting Up Passwordless Sudo with PAM and ssh-agent Forwarding
Today I set up PAM with ssh-agent pass through so that I could use sudo on my remote machines without having to enter my password each time.
I don’t know if this is more or less secure than whatever other system I might come up with. But I figured that if someone gets a hold of my private ssh key, I have bigger problems than them being able to use sudo on my remote machines.
The setup was pretty straightforward, after I found this guide through Google:
Install the PAM ssh-agent Module
Install PAM Authentication via forwarded ssh-agent using apt install libpam-ssh-agent-auth. Other Linux distributions should have the same package,
maybe under a different name. The libpam-ssh-agent-auth package provides a PAM
module called pam_ssh_agent_auth that integrates with the ssh-agent to use
SSH keys for authentication. When installed, it enables forwarding ssh keys to
remote machines and using those keys for authentication instead of passwords.
Copy Authorized Keys for Sudo
Add the sudo authorized keys to /etc/ssh/sudo_authorized_keys. I just copied
my current authorized_keys file with:
sudo cp ~/.ssh/authorized_keys /etc/ssh/sudo_authorized_keys
This authorized_keys file in your .ssh directory contains the public keys
for SSH keys that are allowed to login to your account. By copying it to
/etc/ssh/sudo_authorized_keys, we are telling PAM to allow those same keys to
be used for passwordless sudo.
Configure PAM for Sudo Authentication
Activate the PAM module for sudo authentication by adding this line to
/etc/pam.d/sudo:
auth [success=2 default=ignore] pam_ssh_agent_auth.so file=/etc/ssh/sudo_authorized_keys
The auth line we added tells PAM to use pam_ssh_agent_auth for
authentication. success=2 means if ssh-agent auth succeeds, just return
success without going to other auth modules. default=ignore means if it fails,
ignore the failure and move on to other modules.
Pass SSH_AUTH_SOCK to Sudo
Pass the SSH_AUTH_SOCK environment variable to the sudo daemon by adding this
line to the sudoers file with visudo /etc/sudoers:
Defaults env_keep += SSH_AUTH_SOCK
This variable contains the path to the unix socket the ssh-agent is listening on. Passing it to sudo allows sudo to communicate with the ssh-agent.
That’s it! After that, I can forward my current ssh-agent session by connecting
to the remote server with ssh -A username@server and use sudo without entering
my password.
Some tips on troubleshooting:
- Check
/var/log/auth.logfor any issues with PAM authentication. - Use
ssh-add -lto verify your key is added to ssh-agent. - Use
sudo -lto test if passwordless sudo is working properly.
Update: Persisting ssh-agents Between tmux Sessions
I also use tmux when connecting to remote servers. I noticed that the
ssh-agent was not persising between tmux connections. That was annoying
because it created some problems with consistent behavior between tmux
sessions.
[It turns
out](https://blog.testdouble.com/posts/2016-11-18-reconciling-tmux-and-ssh-agent
-forwarding/) that the problem is with ssh creating temporary files to hold
the ssh-agent socket and that there is an easy fix for that, which involves
moving the ssh_auth_sock outside of the tmp folder.
This requires two steps:
- In
.ssh/rc:
#!/bin/bash
# Fix SSH auth socket location so agent forwarding works with tmux
if test "$SSH_AUTH_SOCK" ; then
ln -sf $SSH_AUTH_SOCK ~/.ssh/ssh_auth_sock
fi
- In
~/.tmux.conf:
# Remove SSH_AUTH_SOCK to disable tmux automatically resetting the variable
set -g update-environment "DISPLAY SSH_ASKPASS SSH_AGENT_PID \
SSH_CONNECTION WINDOWID XAUTHORITY"
# Use a symlink to look up SSH authentication
setenv -g SSH_AUTH_SOCK $HOME/.ssh/ssh_auth_sock
Please note that this will allow anyone with access to the .ssh/rc location to
use the ssh_auth_sock. That’s probably a bad idea, so think about it before
setting this up.