pam_ssh_agent_auth(8) - Linux man page
PAM_SSH_AGENT_AUTH
This module provides authentication via ssh-agent. If an ssh-agent listening at SSH_AUTH_SOCK can successfully authenticate that it has the secret key for a public key in the specified file, authentication is granted, otherwise authentication fails.
Summary
- /etc/pam.d/sudo: auth
- /etc/sudoers:
-
Defaults env_keep += "SSH_AUTH_SOCK"
- This configuration would permit anyone who has an SSH_AUTH_SOCK that manages the private key matching a public key in
/etc/security/authorized_keys to execute sudo without having to enter a password. Note that the ssh-agent listening to SSH_AUTH_SOCK can either
be local, or forwarded.
Unlike NOPASSWD , this still requires an authentication, it's just that the authentication is provided by ssh-agent, and not password entry.
sufficient
pam_ssh_agent_auth.so file=/etc/security/authorized_keys
Arguments
file=<path to authorized_keys>
- Specify the path to the authorized_keys file(s) you would like to use for authentication. Subject to tilde and % EXPANSIONS (below)
- allow_user_owned_authorized_keys_file
- A flag which enables authorized_keys files to be owned by the invoking user, instead of root. This flag is enabled automatically whenever the expansions %h or ~ are used.
- debug
- A flag which enables verbose logging
- sudo_service_name=<service name you compiled sudo to use>
- (when compiled with --enable-sudo-hack)
Specify the service name to use to identify the service "sudo". When the PAM_SERVICE identifier matches this string, and if PAM_RUSER is not set, pam_ssh_agent_auth will attempt to identify the calling user from the environment variable SUDO_USER .
This defaults to "sudo".
Expansions
~ -- same as in shells, a user's Home directory
- Automatically enables allow_user_owned_authorized_keys_file if used in the context of ~/. If used as ~user/, it would expect the file to be owned by 'user', unless you explicitely set allow_user_owned_authorized_keys_file
- %h -- User's Home directory
- Automatically enables allow_user_owned_authorized_keys_file
- %H -- The short-hostname
- %u -- Username
- %f -- FQDN
- %u -- Username
Examples
in /etc/pam.d/sudo
- "auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys"
- The default .ssh/authorized_keys file in a user's home-directory
- "auth sufficient pam_ssh_agent_auth.so file=%h/.ssh/authorized_keys"
- Same as above.
- "auth sufficient pam_ssh_agent_auth.so file=~fred/.ssh/authorized_keys"
- If the home-directory of user 'fred' was /home/fred, this would expand to /home/fred/.ssh/authorized_keys. In this case, we have not specified allow_user_owned_authorized_keys_file, so this file must be owned by 'fred'.
- "auth sufficient pam_ssh_agent_auth.so file=/secure/%H/%u/authorized_keys allow_user_owned_authorized_keys_file"
- On a host named foobar.baz.com, and a user named fred, would expand to /secure/foobar/fred/authorized_keys. In this case, we specified allow_user_owned_authorized_keys_file, so fred would be able to manage that authorized_keys file himself.
- "auth sufficient pam_ssh_agent_auth.so file=/secure/%f/%u/authorized_keys"
- On a host named foobar.baz.com, and a user named fred, would expand to /secure/foobar.baz.com/fred/authorized_keys. In this case, we have not specified allow_user_owned_authorized_keys_file, so this file must be owned by root.