[Tfug] using ssh key for sudo auth?

Chad Woolley thewoolleyman at gmail.com
Thu May 10 01:15:56 MST 2007

I think it is timing out correctly, I was probably confused.

However, there is another issue to be aware of.  I didn't realize this
was looking at the PASSPHRASE of your PRIVATE keys on the local
userid, not the public key you authenticated with.

By default, the /etc/pam.d/pam-ssh-auth looks at all the standard
private key filenames - id_dsa, id_rsa, etc.

This means that if you enable this, any no-passphrase private key for
the current user will allow no-passphrase sudo access.  Even if you
type an incorrect passphrase, it will still allow sudo.

I got around this by manually changing pam-ssh-auth to only check the
keyfile that I care about.  I have to have no-passphrase keys for
automated code deployment, backups, and such.  It would be better to
not have a default-named no-passphrase key at all, and instead give it
a custom name, and then explicitly specify the keyfile name for a
specific host in the ssh config file using IdentityFile.

Anyway, PAM is definitly going to do what I wanted, after I fix all
the bad security practices I was doing already :).  Thanks again.

On 5/9/07, Stephen Hooper <stephen.hooper at gmail.com> wrote:
> Maybe if you don't do that, but instead edit the same file
> ("/etc/pam.d/sudo"), and just put in the "auth" line, and not the
> "session" line it will timeout.
> Without seeing your file I cannot say for sure (and I have never used
> this product), but mine looks like this:
> auth    include         system-auth
> account include         system-auth
> password        include         system-auth
> session include         system-auth
> What I would do, would be add a line at the very top:
> "auth required pam_ssh"
> That way keys aren't getting added to the agent.  The problem may
> still be if a key is added to the agent (for example you doing it
> manually) it may still not timeout.
> On 5/9/07, Chad Woolley <thewoolleyman at gmail.com> wrote:
> > There was one additional step required.  I had to edit
> > /etc/pam.d/sudo, and add this as the first include:
> >
> > @include pam-ssh-auth
> >
> > Then is uses my ssh passphrase.  It still doesn't timeout like normal
> > sudo, though...
> >
> > -- Chad
> >
> > On 5/9/07, Chad Woolley <thewoolleyman at gmail.com> wrote:
> > > Stephen,
> > >
> > > PAM was exactly what I needed.  I ran this:
> > >
> > > sudo apt-get install libpam-ssh
> > >
> > > And now I can sudo without a password after authenticating via ssh
> > > with my key.  Thanks!!!!
> > >
> > > -- Chad
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org

More information about the tfug mailing list