r/sudo: Optionally enable pam_ssh_agent_auth

The [pam_ssh_agent_auth][0] PAM module authenticates users using keys in
their SSH agent.  Using SSH agent forwarding, it can even authenticate
users with keys on a remote system.  By adding it to the PAM stack for
`sudo`, we can configure the latter to authenticate users without
requiring a password.  For servers especially, this is significantly
more secure than configuring `sudo` not to require a password, while
still being almost as convenient.

For this to work, users need to enable SSH agent forwarding on their
clients, and their public keys have to be listed in the
`/etc/security/sudo.authorized_keys` file.  Additionally, although the
documentation suggests otherwise, the `SSH_AUTH_SOCK` environment
variable has to be added to the `env_keep` list in *sudoers(5)*.

[0]: https://github.com/jbeverly/pam_ssh_agent_auth

roles/sudo/defaults/main.yml

@@ -1 +1,5 @@
+sudo_use_pam_ssh_agent: false
+sudo_packages:
+- sudo
+- '{% if sudo_use_pam_ssh_agent %}pam_ssh_agent_auth{% endif %}'
 admin_users: []

roles/sudo/tasks/main.yml

@@ -1,7 +1,7 @@
-- name: ensure sudo is installed
+- name: ensure sudo packages are installed
   package:
-    name=sudo
+    name: '{{ sudo_packages|reject("eq", "") }}'
-    state=present
+    state: present
   tags:
   - install
 
@@ -25,3 +25,52 @@
   file:
     path=/etc/sudoers.d/sudo
     state=absent
+
+- name: ensure pam is configured for sudo
+  template:
+    src: sudo.pam.conf
+    dest: /etc/pam.d/sudo
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  tags:
+  - pam-ssh-agent
+
+- name: ensure sudo authorized ssh_keys are configured
+  copy:
+    dest: /etc/security/sudo.authorized_keys
+    content: '{{ sudo_authorized_ssh_keys }}'
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  when: sudo_use_pam_ssh_agent
+  tags:
+  - pam-ssh-agent
+  - pam-ssh-agent-keys
+- name: ensure sudo authorized ssh_keys are not configured
+  file:
+    path: /etc/security/sudo.sshkeys
+    state: absent
+  when: not sudo_use_pam_ssh_agent
+  tags:
+  - pam-ssh-agent
+  - pam-ssh-agent-keys
+
+# Upstream documentation says this is only required for "old" versions
+# of sudo, however without it, SSH key authentication always fails.  I
+# suspect it is only unnecessary when users originally authenticated to
+# the SSH daemon using a public key, but required for other forms of
+# authentication, such as GSSAPI.
+- name: ensure sudo is configured for pam_ssh_agent_auth
+  copy:
+    dest: /etc/sudoers.d/ssh-auth-sock
+    content: |+
+      {% if sudo_use_pam_ssh_agent %}
+      Defaults   env_keep += "SSH_AUTH_SOCK"
+      {% endif %}
+    mode: u=rw,g=r,o=
+    owner: root
+    group: root
+    validate: visudo -cf %s
+  tags:
+  - pam-ssh-agent

roles/sudo/templates/sudo.pam.conf

@@ -0,0 +1,10 @@
+#%PAM-1.0
+{% if sudo_use_pam_ssh_agent %}
+-auth      sufficient   pam_ssh_agent_auth.so file=/etc/security/sudo.authorized_keys
+{% endif %}
+auth       include      system-auth
+account    include      system-auth
+password   include      system-auth
+session    optional     pam_keyinit.so revoke
+session    required     pam_limits.so
+session    include      system-auth