configpolicy

dustin

configpolicy

Fork 0

Commit Graph

Author	SHA1	Message	Date
Dustin	091d9e1f78	r/sudo: Optionally enable pam_ssh_agent_auth The [pam_ssh_agent_auth][0] PAM module authenticates users using keys in their SSH agent. Using SSH agent forwarding, it can even authenticate users with keys on a remote system. By adding it to the PAM stack for `sudo`, we can configure the latter to authenticate users without requiring a password. For servers especially, this is significantly more secure than configuring `sudo` not to require a password, while still being almost as convenient. For this to work, users need to enable SSH agent forwarding on their clients, and their public keys have to be listed in the `/etc/security/sudo.authorized_keys` file. Additionally, although the documentation suggests otherwise, the `SSH_AUTH_SOCK` environment variable has to be added to the `env_keep` list in sudoers(5). [0]: https://github.com/jbeverly/pam_ssh_agent_auth	2024-01-28 12:16:35 -06:00

Author

SHA1

Message

Date

Dustin

091d9e1f78

r/sudo: Optionally enable pam_ssh_agent_auth

The [pam_ssh_agent_auth][0] PAM module authenticates users using keys in
their SSH agent.  Using SSH agent forwarding, it can even authenticate
users with keys on a remote system.  By adding it to the PAM stack for
`sudo`, we can configure the latter to authenticate users without
requiring a password.  For servers especially, this is significantly
more secure than configuring `sudo` not to require a password, while
still being almost as convenient.

For this to work, users need to enable SSH agent forwarding on their
clients, and their public keys have to be listed in the
`/etc/security/sudo.authorized_keys` file.  Additionally, although the
documentation suggests otherwise, the `SSH_AUTH_SOCK` environment
variable has to be added to the `env_keep` list in *sudoers(5)*.

[0]: https://github.com/jbeverly/pam_ssh_agent_auth

2024-01-28 12:16:35 -06:00

1 Commits (c300dc1b6cce53e0f206df670059e0d22f1d394b)