KeyofBlueS commented 4 years ago

Hi,

Seems like I can't get it to work properly on my server. This is what I've done on the server so far:

Copied the authorized keys with: $ sudo cp ~/.ssh/authorized_keys /etc/ssh/sudo_authorized_keys
Contents of /etc/pam.d/sudo
```
#%PAM-1.0
```

auth [success=3 default=ignore] pam_ssh_agent_auth.so file=/etc/ssh/sudo_authorized_keys debug @include common-auth @include common-account @include common-session-noninteractive


- Contents of /etc/sudoers

#

This file MUST be edited with the 'visudo' command as root.

#

Please consider adding local content in /etc/sudoers.d/ instead of

directly modifying this file.

#

See the man page for details on how to write a sudoers file.

# Defaults env_reset Defaults env_keep += SSH_AUTH_SOCK Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

Host alias specification

User alias specification

Cmnd alias specification

User privilege specification

root ALL=(ALL:ALL) ALL

Allow members of group sudo to execute any command

%sudo ALL=(ALL:ALL) ALL

See sudoers(5) for more information on "#include" directives:

includedir /etc/sudoers.d


- Check if $SSH_AUTH_SOCK variable is present and preserved in sudo environment

$ printenv | grep SSH SSH_AUTH_SOCK=/tmp/ssh-yCRLYnX7W0as/agent.2645

$sudo printenv | grep SSH SSH_AUTH_SOCK=/tmp/ssh-yCRLYnX7W0as/agent.2645


Anyway after successfully login into the server with ssh (PubkeyAuthentication), it still ask me to enter the password for sudo

- Contents of /var/log/auth.log

Dec 20 21:03:00 debian-SERVER sudo[2764]: pam_ssh_agent_auth: Beginning pam_ssh_agent_auth for user myuser Dec 20 21:03:00 debian-SERVER sudo[2764]: pam_ssh_agent_auth: Attempting authentication: myuser' asmyuser' using /etc/ssh/sudo_authorized_keys Dec 20 21:03:00 debian-SERVER sudo[2764]: pam_ssh_agent_auth: Contacted ssh-agent of user myuser (1000) Dec 20 21:03:00 debian-SERVER sudo[2764]: pam_ssh_agent_auth: Failed Authentication: myuser' asmyuser' using /etc/ssh/sudo_authorized_keys



What did I do wrong? Could you please help me? 
Thanks!

Kwaadpepper commented 4 years ago

I also have trouble setting up this.

Feb 21 19:41:06 debian su[29591]: pam_ssh_agent_auth: Beginning pam_ssh_agent_auth for user root
Feb 21 19:41:06 debian su[29591]: pam_ssh_agent_auth: Attempting authentication: `juniko' as `root' using /etc/ssh/sudo_authorized_keys
Feb 21 19:41:06 debian su[29591]: pam_ssh_agent_auth: Contacted ssh-agent of user juniko (1000)
Feb 21 19:41:06 debian su[29591]: pam_ssh_agent_auth: Failed Authentication: `juniko' as `root' using /etc/ssh/sudo_authorized_keys

I have the same configuration as you.

su from util-linux 2.33.1 Debian GNU/Linux 10 (buster) libpam-ssh-agent-auth: 0.10.3-3

ThomasTr commented 4 years ago

Got it working for me on OSX: Be sure you have added the same identities in your local ssh agent. Test it using

ssh-add -L

It should print the public keys in your agent and at least one of them should match the public key on server in /etc/ssh/sudo_authorized_keys.

Also don't forget to enable key forwarding for this server (my last gotcha): Add

ForwardAgent yes

in ~/.ssh/config for the specified host(s)

eric-brechemier commented 4 years ago

Also don't forget to enable key forwarding for this server (my last gotcha): Add
ForwardAgent yes

@ThomasTr I prefer to specify the -Aflag in the sshcommand. For me, it is equivalent to running a command with or without sudo locally. Without the -Aflag, I am connecting as a normal user with limited rights. With the -A, I am connecting as a superuser.

KeyofBlueS commented 3 years ago

Working for me too, although can't use ECDSA key as it cause a segfault when sudoing https://github.com/jbeverly/pam_ssh_agent_auth/issues/18 https://github.com/jbeverly/pam_ssh_agent_auth/pull/24

jbeverly / pam_ssh_agent_auth

Failed Authentication #20