search

jbeverly / pam_ssh_agent_auth

Moving pam_ssh_agent_auth to github as primary development location
Other
98 stars 27 forks source link

Quick question: Does it requires reboot to take effect after installation? #26

Open beyondbill opened 3 years ago

beyondbill commented 3 years ago

I want to install pam_ssh_agent_auth in Fedora CoreOS. The installation succeeded with a reminder to reboot though.

[core@ip-10-10-8-158 pam_ssh_agent_auth-0.10.3]$ sudo rpm-ostree install pam_ssh_agent_auth
Checking out tree 6df95bd... done
Enabled rpm-md repositories: fedora-cisco-openh264 updates fedora
Updating metadata for 'fedora-cisco-openh264'... done
rpm-md repo 'fedora-cisco-openh264'; generated: 2020-03-17T20:10:45Z
Updating metadata for 'updates'... done
rpm-md repo 'updates'; generated: 2020-07-22T00:57:28Z
Updating metadata for 'fedora'... done
rpm-md repo 'fedora'; generated: 2020-04-22T22:22:36Z
Importing rpm-md... done
Resolving dependencies... done
Will download: 1 package (157.7?kB)
Downloading from 'updates'... done
Importing packages... done
Checking out packages... done
Running pre scripts... done
Running post scripts... done
Running posttrans scripts... done
Writing rpmdb... done
Writing OSTree commit... done
Staging deployment... done
Added:
  pam_ssh_agent_auth-0.10.3-10.3.fc32.x86_64
Run "systemctl reboot" to start a reboot

I would totally get the need to restart sshd. But Is rebooting the server truly necessary for pam_ssh_agent_auth to take effect? If possible, I want to avoid such a reboot. Here are the Ansible tasks related to how pam_ssh_agent_auth is used in my case.

- name: Copy over authorized_keys file for sudo access
  copy:
    src:  "{{ base_ami_config.authorized_keys_path | default('authorized_keys') }}"
    dest: /etc/security/authorized_keys
    owner: root
    group: root
    mode: 0600
- name: Set up pam_ssh_agent_auth for sudo authorization
  lineinfile:
    path: /etc/pam.d/sudo
    line: 'auth    sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys'
    insertbefore: BOF
- name: Keep SSH_AUTH_SOCK in sudo to verify private key in SSH agent
  lineinfile:
    path: /etc/sudoers
    line: 'Defaults    env_keep += "SSH_AUTH_SOCK"'
    insertafter: '^Defaults\s+env_keep\s*=.*'
Jakuje commented 3 years ago

the reboot request is probably not related to the pam_ssh_agent_auth, but either to some other package that was installed (previously?) or to the way how installation through OSTree works (not very familiar with this).

The pam_ssh_agent_auth pam module itself does not require reboot nor restart of the sshd as the pam module does not interact with sshd at all.