PAM confusion

Michael W. Lucas mwlucas at
Thu Dec 8 16:45:35 UTC 2011


I'm attempting to hook security/pam_ssh_agent_auth into sudo, and have
learned that PAM doesn't work the way I thought it did.

I'm running FreeBSD-9/i386, with sudo

My goal is that sudo pass all auth requests back to the users' SSH
agent.  Sudo should never use passwords for authentication. If the
user doesn't have an SSH agent, or if the SSH agent breaks somehow,
the sudo request is denied.

With my current config, sudo requests are accepted without a password
even if the users' environment has no $SSH_AUTH_SOCK. I'm obviously
doing something wrong.

Here's my pam.d/sudo. I removed password settings and required the
pam_ssh_agent_auth library.

#auth           include         system
auth            required        /usr/local/lib/ file=~/.ssh/authorized\

# account
account         include         system

# session
# XXX: pam_lastlog (used in system) causes users to appear as though
# they are no longer logged in in system logs.
session         required

# password
#password       include         system

Any suggestions what I'm doing wrong?


Michael W. Lucas,
Latest book: Network Flow Analysis
mwlucas at, Twitter @mwlauthor

More information about the freebsd-questions mailing list