In my SSH agent I have several keys loaded. I log on to a remote machine using one of these keys (e.g., selected by my local SSH config file) and it works fine.
When I attempt a sudo using a key, it gets rejected. With debug enabled, in the log I see as many attempts as I have keys in my agent. Naturally only one of these attempts is successful (as I only have one public key available to the remote system) and the rest result in "key not found". I would even expect that upon the first match the loop over the list of keys will stop and PAM_SUCCESS will be issued; oddly, the loop goes on and the overall result is sudo rejection (i.e. it falls back to keyboard-interactive, which is the next available mechanism in my PAM config).
The line in my PAM sudo config is as follows (top of the list):
In my SSH agent I have several keys loaded. I log on to a remote machine using one of these keys (e.g., selected by my local SSH config file) and it works fine.
When I attempt a sudo using a key, it gets rejected. With debug enabled, in the log I see as many attempts as I have keys in my agent. Naturally only one of these attempts is successful (as I only have one public key available to the remote system) and the rest result in "key not found". I would even expect that upon the first match the loop over the list of keys will stop and PAM_SUCCESS will be issued; oddly, the loop goes on and the overall result is sudo rejection (i.e. it falls back to keyboard-interactive, which is the next available mechanism in my PAM config).
The line in my PAM sudo config is as follows (top of the list):
auth sufficient pam_ssh_agent_auth.so authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys authorized_keys_command_user=root debug
For the record, the server side is RHEL-9 using their package 0.10.4 for pam_ssh_agent_auth. My client side is Fedora 36.
Attached is the system journal from the server side during sudo attempt. debug.log