r/sudo: Optionally enable pam_ssh_agent_auth
The [pam_ssh_agent_auth][0] PAM module authenticates users using keys in their SSH agent. Using SSH agent forwarding, it can even authenticate users with keys on a remote system. By adding it to the PAM stack for `sudo`, we can configure the latter to authenticate users without requiring a password. For servers especially, this is significantly more secure than configuring `sudo` not to require a password, while still being almost as convenient. For this to work, users need to enable SSH agent forwarding on their clients, and their public keys have to be listed in the `/etc/security/sudo.authorized_keys` file. Additionally, although the documentation suggests otherwise, the `SSH_AUTH_SOCK` environment variable has to be added to the `env_keep` list in *sudoers(5)*. [0]: https://github.com/jbeverly/pam_ssh_agent_auth
This commit is contained in:
@@ -1 +1,5 @@
|
||||
sudo_use_pam_ssh_agent: false
|
||||
sudo_packages:
|
||||
- sudo
|
||||
- '{% if sudo_use_pam_ssh_agent %}pam_ssh_agent_auth{% endif %}'
|
||||
admin_users: []
|
||||
|
||||
Reference in New Issue
Block a user