Pam ssh agent auth
The PAM module sys-auth/pam_ssh_agent_auth allows a locally installed SSH key to authenticate for app-admin/sudo. This is useful for those who are not happy with completely passwordless sudo, but do not want to be frequently typing passwords.
Installation
Emerge
root #emerge --ask pam_ssh_agent_authConfiguration
Create SSH keys
Have each user that would like this capability to follow the guide on the SSH wiki page to create SSH keys.
PAM sudo file
Configure sudo to try using public keys, then fall back to normal password authentication:
FILE
/etc/pam.d/sudo... auth [success=3 default=ignore] pam_ssh_agent_auth.so file=/etc/ssh/sudo_authorized_keys auth include system-auth account include system-auth session include system-auth ...
Configure sudoers to preserve the environment variable SSH_AUTH_SOCK:
FILE
/etc/sudoers... Defaults env_keep += "SSH_AUTH_SOCK" ...
Add desired user's public key
Repeat this process for each user desired for sudo authentication:
root #cat /home/<user>/.ssh/*.pub >> /etc/ssh/sudo_authorized_keysExtra: Launch ssh-agent at login
user $echo "ssh-add" >> ~/.bash_profileSee also
- PAM — allows (third party) services to provide an authentication module for their service which can then be used on PAM enabled systems.
This article is issued from Gentoo. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.