r/sudo: Optionally enable pam_ssh_agent_auth

The [pam_ssh_agent_auth][0] PAM module authenticates users using keys in their SSH agent. Using SSH agent forwarding, it can even authenticate users with keys on a remote system. By adding it to the PAM stack for `sudo`, we can configure the latter to authenticate users without requiring a password. For servers especially, this is significantly more secure than configuring `sudo` not to require a password, while still being almost as convenient. For this to work, users need to enable SSH agent forwarding on their clients, and their public keys have to be listed in the `/etc/security/sudo.authorized_keys` file. Additionally, although the documentation suggests otherwise, the `SSH_AUTH_SOCK` environment variable has to be added to the `env_keep` list in *sudoers(5)*. [0]: https://github.com/jbeverly/pam_ssh_agent_auth
2024-01-28 10:51:46 -06:00
parent 7569c9da0d
commit 091d9e1f78
3 changed files with 66 additions and 3 deletions
--- a/roles/sudo/templates/sudo.pam.conf
+++ b/roles/sudo/templates/sudo.pam.conf
@@ -0,0 +1,10 @@
+#%PAM-1.0
+{% if sudo_use_pam_ssh_agent %}
+-auth      sufficient   pam_ssh_agent_auth.so file=/etc/security/sudo.authorized_keys
+{% endif %}
+auth       include      system-auth
+account    include      system-auth
+password   include      system-auth
+session    optional     pam_keyinit.so revoke
+session    required     pam_limits.so
+session    include      system-auth