Setting up PAM SSH agent authentication for sudo login

Setting up your Ubuntu server

For security reasons it is good to disable password based login and use ssh keys instead. As long you are using the root user this works fine. If you want to use regular user accounts you will soon have the problem that the sudo prompt wants a password as authorization. I use the pam_ssh_agent_auth package with ssh keys instead.

1. Install required software

First you have to install following packages from the Ubuntu repo to be able to build the pam_ssh_agent_auth archive.

$ sudo apt-get install build-essential checkinstall libssl-dev libpam0g-dev

2. Download and install pam_ssh_agent_auth

Then you need the latest version of the archive. When I wrote this article 0.10.3 was the latest one.

$ wget “http://downloads.sourceforge.net/project/pamsshagentauth/pam_ssh_agent_auth/v0.10.3/pam_ssh_agent_auth-0.10.3.tar.bz2" -P /tmp
tar -xjvf pam_ssh_agent_auth-0.10.3.tar.bz2

Next you have to configure it and create a Makefile:

$ /tmp/pam_ssh_agent_auth-0.10.3/configure — libexecdir=/lib/security — with-mantype=man

Now you can build and install the pam_ssh_agent_auth:

$ cd /tmp
$ make
$ sudo checkinstall

Now the package is installed on your server. As the last two steps you have to configure sudo to use this package. Open /etc/pam.d/sudo and add following:

#%PAM-1.0
auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys
auth required pam_env.so readenv=1 user_readenv=0
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
…..

Instead of the key file in the user directory you can also create a global used authorized_keys file under /etc/security/authorized_keys for example.

As the last step you have to add following to /etc/sudoers using visudo command:

Defaults env_keep += SSH_AUTH_SOCK
Defaults env_reset
Defaults mail_badpass
……

Setting up your Client

With Putty on Windows

First you have to run Pageant and add your SSH key

Add your key to Pageant Key List

Then setup your connection details

Connection details

As last step you have to activate the forwarding of the key for this connection. Go to ‘Conncection -> SSH -> Auth’

Allow the agent to forward your key

Now you can save this settings with your prefferd name under ‘Session’

On Mac/Linux/BSD with ‘ssh-add’

Add your ssh key to your agent with:

$ ssh-add /path/to/your/key/id_rsa

If you want to forward this key you have to start your connection with ‘-A’

$ ssh -A user@host

Now you should be able to run a command as sudo without remembering or setting up a password for your user.