From 091d9e1f78ea8d73a0435b2ce0e2bf4885b49eb7 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sun, 28 Jan 2024 10:51:46 -0600 Subject: [PATCH] r/sudo: Optionally enable pam_ssh_agent_auth The [pam_ssh_agent_auth][0] PAM module authenticates users using keys in their SSH agent. Using SSH agent forwarding, it can even authenticate users with keys on a remote system. By adding it to the PAM stack for `sudo`, we can configure the latter to authenticate users without requiring a password. For servers especially, this is significantly more secure than configuring `sudo` not to require a password, while still being almost as convenient. For this to work, users need to enable SSH agent forwarding on their clients, and their public keys have to be listed in the `/etc/security/sudo.authorized_keys` file. Additionally, although the documentation suggests otherwise, the `SSH_AUTH_SOCK` environment variable has to be added to the `env_keep` list in *sudoers(5)*. [0]: https://github.com/jbeverly/pam_ssh_agent_auth --- roles/sudo/defaults/main.yml | 4 +++ roles/sudo/tasks/main.yml | 55 ++++++++++++++++++++++++++++-- roles/sudo/templates/sudo.pam.conf | 10 ++++++ 3 files changed, 66 insertions(+), 3 deletions(-) create mode 100644 roles/sudo/templates/sudo.pam.conf diff --git a/roles/sudo/defaults/main.yml b/roles/sudo/defaults/main.yml index 11f2f29..8c649fe 100644 --- a/roles/sudo/defaults/main.yml +++ b/roles/sudo/defaults/main.yml @@ -1 +1,5 @@ +sudo_use_pam_ssh_agent: false +sudo_packages: +- sudo +- '{% if sudo_use_pam_ssh_agent %}pam_ssh_agent_auth{% endif %}' admin_users: [] diff --git a/roles/sudo/tasks/main.yml b/roles/sudo/tasks/main.yml index 027d6f4..bba57e2 100644 --- a/roles/sudo/tasks/main.yml +++ b/roles/sudo/tasks/main.yml @@ -1,7 +1,7 @@ -- name: ensure sudo is installed +- name: ensure sudo packages are installed package: - name=sudo - state=present + name: '{{ sudo_packages|reject("eq", "") }}' + state: present tags: - install @@ -25,3 +25,52 @@ file: path=/etc/sudoers.d/sudo state=absent + +- name: ensure pam is configured for sudo + template: + src: sudo.pam.conf + dest: /etc/pam.d/sudo + mode: u=rw,go=r + owner: root + group: root + tags: + - pam-ssh-agent + +- name: ensure sudo authorized ssh_keys are configured + copy: + dest: /etc/security/sudo.authorized_keys + content: '{{ sudo_authorized_ssh_keys }}' + mode: u=rw,go=r + owner: root + group: root + when: sudo_use_pam_ssh_agent + tags: + - pam-ssh-agent + - pam-ssh-agent-keys +- name: ensure sudo authorized ssh_keys are not configured + file: + path: /etc/security/sudo.sshkeys + state: absent + when: not sudo_use_pam_ssh_agent + tags: + - pam-ssh-agent + - pam-ssh-agent-keys + +# Upstream documentation says this is only required for "old" versions +# of sudo, however without it, SSH key authentication always fails. I +# suspect it is only unnecessary when users originally authenticated to +# the SSH daemon using a public key, but required for other forms of +# authentication, such as GSSAPI. +- name: ensure sudo is configured for pam_ssh_agent_auth + copy: + dest: /etc/sudoers.d/ssh-auth-sock + content: |+ + {% if sudo_use_pam_ssh_agent %} + Defaults env_keep += "SSH_AUTH_SOCK" + {% endif %} + mode: u=rw,g=r,o= + owner: root + group: root + validate: visudo -cf %s + tags: + - pam-ssh-agent diff --git a/roles/sudo/templates/sudo.pam.conf b/roles/sudo/templates/sudo.pam.conf new file mode 100644 index 0000000..d8e6648 --- /dev/null +++ b/roles/sudo/templates/sudo.pam.conf @@ -0,0 +1,10 @@ +#%PAM-1.0 +{% if sudo_use_pam_ssh_agent %} +-auth sufficient pam_ssh_agent_auth.so file=/etc/security/sudo.authorized_keys +{% endif %} +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth