Setting up PAM SSH agent authentication for sudo login
Setting up your Ubuntu server
For security reasons it is good to disable password based login and use ssh keys instead. As long you are using the root user this works fine. If you want to use regular user accounts you will soon have the problem that the sudo prompt wants a password as authorization. I use the pam_ssh_agent_auth package with ssh keys instead.
1. Install required software
First you have to install following packages from the Ubuntu repo to be able to build the pam_ssh_agent_auth archive.
$ sudo apt-get install build-essential checkinstall libssl-dev libpam0g-dev
2. Download and install pam_ssh_agent_auth
Then you need the latest version of the archive. When I wrote this article 0.10.3 was the latest one.
$ wget “http://downloads.sourceforge.net/project/pamsshagentauth/pam_ssh_agent_auth/v0.10.3/pam_ssh_agent_auth-0.10.3.tar.bz2" -P /tmp
tar -xjvf pam_ssh_agent_auth-0.10.3.tar.bz2
Next you have to configure it and create a Makefile:
$ /tmp/pam_ssh_agent_auth-0.10.3/configure — libexecdir=/lib/security — with-mantype=man
Now you can build and install the pam_ssh_agent_auth:
$ cd /tmp
$ sudo checkinstall
Now the package is installed on your server. As the last two steps you have to configure sudo to use this package. Open /etc/pam.d/sudo and add following:
auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys
auth required pam_env.so readenv=1 user_readenv=0
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
Instead of the key file in the user directory you can also create a global used authorized_keys file under /etc/security/authorized_keys for example.
As the last step you have to add following to /etc/sudoers using visudo command:
Defaults env_keep += SSH_AUTH_SOCK
Setting up your Client
With Putty on Windows
First you have to run Pageant and add your SSH key
Then setup your connection details
As last step you have to activate the forwarding of the key for this connection. Go to ‘Conncection -> SSH -> Auth’
Now you can save this settings with your prefferd name under ‘Session’
On Mac/Linux/BSD with ‘ssh-add’
Add your ssh key to your agent with:
$ ssh-add /path/to/your/key/id_rsa
If you want to forward this key you have to start your connection with ‘-A’
$ ssh -A user@host
Now you should be able to run a command as sudo without remembering or setting up a password for your user.