Michael W. Lucas
mwlucas at blackhelicopters.org
Tue Dec 13 14:09:48 UTC 2011
On Mon, Dec 12, 2011 at 03:34:28PM -0600, Reid Linnemann wrote:
> On Thu, Dec 8, 2011 at 10:45 AM, Michael W. Lucas
> <mwlucas at blackhelicopters.org> wrote:
> > Hi,
> > I'm attempting to hook security/pam_ssh_agent_auth into sudo, and have
> > learned that PAM doesn't work the way I thought it did.
> > I'm running FreeBSD-9/i386, with sudo 188.8.131.52.
> > My goal is that sudo pass all auth requests back to the users' SSH
> > agent. ?Sudo should never use passwords for authentication. If the
> > user doesn't have an SSH agent, or if the SSH agent breaks somehow,
> > the sudo request is denied.
> > With my current config, sudo requests are accepted without a password
> > even if the users' environment has no $SSH_AUTH_SOCK. I'm obviously
> > doing something wrong.
> > Here's my pam.d/sudo. I removed password settings and required the
> > pam_ssh_agent_auth library.
> > ---
> > #auth ? ? ? ? ? include ? ? ? ? system
> > auth ? ? ? ? ? ?required ? ? ? ?/usr/local/lib/pam_ssh_agent_auth.so file=~/.ssh/authorized\
> > _keys
> > # account
> > account ? ? ? ? include ? ? ? ? system
> > # session
> > # XXX: pam_lastlog (used in system) causes users to appear as though
> > # they are no longer logged in in system logs.
> > session ? ? ? ? required ? ? ? ?pam_permit.so
> > # password
> > #password ? ? ? include ? ? ? ? system
> > ---
> > Any suggestions what I'm doing wrong?
> > Thanks,
> > ==ml
> > --
> > Michael W. Lucas
> > http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
> > Latest book: Network Flow Analysis http://www.networkflowanalysis.com/
> > mwlucas at BlackHelicopters.org, Twitter @mwlauthor
> Make sure your sudoers file has
> Defaults env_keep += "SSH_AUTH_SOCK"
> Also, make sure your matching rule for your user doesn't have NOPASSWD
> set. It seems that since you've already authenticated to the system,
> sudo still knows the user and/or group credentials without the pam
> module's help - all it does is authenticate the public and private
> keys. If you have NOPASSWD, sudo doesn't even think it needs to refer
> to the authentication mechanism because according to sudoers it needs
> no password for the user issuing the request.
Thanks for answering!
Turns out my problem was that sudo caches the last time the user
For future reference, I blogged how to set this up at
Michael W. Lucas
Latest book: Network Flow Analysis http://www.networkflowanalysis.com/
mwlucas at BlackHelicopters.org, Twitter @mwlauthor
More information about the freebsd-questions