Open KeyofBlueS opened 4 years ago
I also have trouble setting up this.
Feb 21 19:41:06 debian su[29591]: pam_ssh_agent_auth: Beginning pam_ssh_agent_auth for user root
Feb 21 19:41:06 debian su[29591]: pam_ssh_agent_auth: Attempting authentication: `juniko' as `root' using /etc/ssh/sudo_authorized_keys
Feb 21 19:41:06 debian su[29591]: pam_ssh_agent_auth: Contacted ssh-agent of user juniko (1000)
Feb 21 19:41:06 debian su[29591]: pam_ssh_agent_auth: Failed Authentication: `juniko' as `root' using /etc/ssh/sudo_authorized_keys
I have the same configuration as you.
su from util-linux 2.33.1 Debian GNU/Linux 10 (buster) libpam-ssh-agent-auth: 0.10.3-3
Got it working for me on OSX: Be sure you have added the same identities in your local ssh agent. Test it using
ssh-add -L
It should print the public keys in your agent and at least one of them should match the public key on server in /etc/ssh/sudo_authorized_keys.
Also don't forget to enable key forwarding for this server (my last gotcha): Add
ForwardAgent yes
in ~/.ssh/config for the specified host(s)
Also don't forget to enable key forwarding for this server (my last gotcha): Add
ForwardAgent yes
@ThomasTr I prefer to specify the -A
flag in the ssh
command. For me, it is equivalent to running a command with or without sudo
locally. Without the -A
flag, I am connecting as a normal user with limited rights. With the -A
, I am connecting as a superuser.
Working for me too, although can't use ECDSA key as it cause a segfault when sudoing https://github.com/jbeverly/pam_ssh_agent_auth/issues/18 https://github.com/jbeverly/pam_ssh_agent_auth/pull/24
Hi,
Seems like I can't get it to work properly on my server. This is what I've done on the server so far:
Copied the authorized keys with:
$ sudo cp ~/.ssh/authorized_keys /etc/ssh/sudo_authorized_keys
Contents of /etc/pam.d/sudo
auth [success=3 default=ignore] pam_ssh_agent_auth.so file=/etc/ssh/sudo_authorized_keys debug @include common-auth @include common-account @include common-session-noninteractive
#
This file MUST be edited with the 'visudo' command as root.
#
Please consider adding local content in /etc/sudoers.d/ instead of
directly modifying this file.
#
See the man page for details on how to write a sudoers file.
# Defaults env_reset Defaults env_keep += SSH_AUTH_SOCK Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Host alias specification
User alias specification
Cmnd alias specification
User privilege specification
root ALL=(ALL:ALL) ALL
Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
See sudoers(5) for more information on "#include" directives:
includedir /etc/sudoers.d
$ printenv | grep SSH SSH_AUTH_SOCK=/tmp/ssh-yCRLYnX7W0as/agent.2645
$sudo printenv | grep SSH SSH_AUTH_SOCK=/tmp/ssh-yCRLYnX7W0as/agent.2645
Dec 20 21:03:00 debian-SERVER sudo[2764]: pam_ssh_agent_auth: Beginning pam_ssh_agent_auth for user myuser Dec 20 21:03:00 debian-SERVER sudo[2764]: pam_ssh_agent_auth: Attempting authentication:
myuser' as
myuser' using /etc/ssh/sudo_authorized_keys Dec 20 21:03:00 debian-SERVER sudo[2764]: pam_ssh_agent_auth: Contacted ssh-agent of user myuser (1000) Dec 20 21:03:00 debian-SERVER sudo[2764]: pam_ssh_agent_auth: Failed Authentication:myuser' as
myuser' using /etc/ssh/sudo_authorized_keys