pam_ssh_agent_auth

PAM_SSH_AGENT_AUTH

SUMMARY

/etc/pam.d/sudo:

 auth       sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys

/etc/sudoers:

 Defaults    env_keep += "SSH_AUTH_SOCK"

This configuration would permit anyone who has an SSH_AUTH_SOCK that manages the private key matching a public key in /etc/security/authorized_keys to execute sudo without having to enter a password. Note that the ssh-agent listening to SSH_AUTH_SOCK can either be local, or forwarded.

Unlike NOPASSWD, this still requires an authentication, it's just that the authentication is provided by ssh-agent, and not password entry.  

EXPANSIONS

~ --- same as in shells, a user's Home directory

Automatically enables allow_user_owned_authorized_keys_file

%h --- User's Home directory

Automatically enables allow_user_owned_authorized_keys_file

%H --- The short-hostname

%u --- Username

%f --- FQDN

EXAMPLES

auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys

The default .ssh/authorized_keys file in a user's home-directory

auth sufficient pam_ssh_agent_auth.so file=%h/.ssh/authorized_keys

Same as above.

auth sufficient pam_ssh_agent_auth.so file=/secure/%H/%u/authorized_keys allow_user_owned_authorized_keys_file

On a host named foobar.baz.com, and a user named fred, would expand to /secure/foobar/fred/authorized_keys. In this case, we specified allow_user_owned_authorized_keys_file, so fred would be able to manage that authorized_keys file himself.

auth sufficient pam_ssh_agent_auth.so file=/secure/%f/%u/authorized_keys

On a host named foobar.baz.com, and a user named fred, would expand to /secure/foobar.baz.com/fred/authorized_keys. In this case, we have not specified allow_user_owned_authorized_keys_file, so this file must be owned by root.

Index

PAM_SSH_AGENT_AUTH

SUMMARY

EXPANSIONS

EXAMPLES