r/sudo: Optionally enable pam_ssh_agent_auth

The [pam_ssh_agent_auth][0] PAM module authenticates users using keys in their SSH agent. Using SSH agent forwarding, it can even authenticate users with keys on a remote system. By adding it to the PAM stack for `sudo`, we can configure the latter to authenticate users without requiring a password. For servers especially, this is significantly more secure than configuring `sudo` not to require a password, while still being almost as convenient. For this to work, users need to enable SSH agent forwarding on their clients, and their public keys have to be listed in the `/etc/security/sudo.authorized_keys` file. Additionally, although the documentation suggests otherwise, the `SSH_AUTH_SOCK` environment variable has to be added to the `env_keep` list in *sudoers(5)*. [0]: https://github.com/jbeverly/pam_ssh_agent_auth
2024-01-28 10:51:46 -06:00 · 2024-01-28 10:51:46 -06:00 · 091d9e1f78
parent 7569c9da0d
commit 091d9e1f78
3 changed files with 66 additions and 3 deletions
--- a/roles/sudo/defaults/main.yml
+++ b/roles/sudo/defaults/main.yml
@ -1 +1,5 @@
+sudo_use_pam_ssh_agent: false
+sudo_packages:
+- sudo
+- '{% if sudo_use_pam_ssh_agent %}pam_ssh_agent_auth{% endif %}'
 admin_users: []
--- a/roles/sudo/tasks/main.yml
+++ b/roles/sudo/tasks/main.yml
@ -1,7 +1,7 @@
- name: ensure sudo is installed
+- name: ensure sudo packages are installed
  package:
-    name=sudo
-    state=present
+    name: '{{ sudo_packages|reject("eq", "") }}'
+    state: present
  tags:
  - install

@ -25,3 +25,52 @@
  file:
    path=/etc/sudoers.d/sudo
    state=absent
+
+- name: ensure pam is configured for sudo
+  template:
+    src: sudo.pam.conf
+    dest: /etc/pam.d/sudo
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  tags:
+  - pam-ssh-agent
+
+- name: ensure sudo authorized ssh_keys are configured
+  copy:
+    dest: /etc/security/sudo.authorized_keys
+    content: '{{ sudo_authorized_ssh_keys }}'
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  when: sudo_use_pam_ssh_agent
+  tags:
+  - pam-ssh-agent
+  - pam-ssh-agent-keys
+- name: ensure sudo authorized ssh_keys are not configured
+  file:
+    path: /etc/security/sudo.sshkeys
+    state: absent
+  when: not sudo_use_pam_ssh_agent
+  tags:
+  - pam-ssh-agent
+  - pam-ssh-agent-keys
+
+# Upstream documentation says this is only required for "old" versions
+# of sudo, however without it, SSH key authentication always fails.  I
+# suspect it is only unnecessary when users originally authenticated to
+# the SSH daemon using a public key, but required for other forms of
+# authentication, such as GSSAPI.
+- name: ensure sudo is configured for pam_ssh_agent_auth
+  copy:
+    dest: /etc/sudoers.d/ssh-auth-sock
+    content: |+
+      {% if sudo_use_pam_ssh_agent %}
+      Defaults   env_keep += "SSH_AUTH_SOCK"
+      {% endif %}
+    mode: u=rw,g=r,o=
+    owner: root
+    group: root
+    validate: visudo -cf %s
+  tags:
+  - pam-ssh-agent
--- a/roles/sudo/templates/sudo.pam.conf
+++ b/roles/sudo/templates/sudo.pam.conf
@ -0,0 +1,10 @@
+#%PAM-1.0
+{% if sudo_use_pam_ssh_agent %}
+-auth      sufficient   pam_ssh_agent_auth.so file=/etc/security/sudo.authorized_keys
+{% endif %}
+auth       include      system-auth
+account    include      system-auth
+password   include      system-auth
+session    optional     pam_keyinit.so revoke
+session    required     pam_limits.so
+session    include      system-auth