i wanted to use the "new" OpenSSH Feature destinatin_constraint to limit which keys are being tried in an ssh session with "sudo" in my ansible playbook. Sadly the passwordless sudo via pam_ssh_agent_auth seems to break if i want to use destination_constrains.
Not successfull scenario:
I have a client (hostname is "chris-desktop-manjaro"). Im in the user homelab-automation.
I load an ssh private key into an ssh-agent and
connect per ssh to my remote server (hostname is "mgtsrv001.houseofnerds.it") into the remote user "chris".
Then i want to become root with "sudo -i".
"successfull" scenario without pam_ssh_agent_auth:
I have a client (hostname is "chris-desktop-manjaro"). Im in the user homelab-automation.
I load an ssh private key into an ssh-agent and
connect per ssh to my remote server (hostname is "mgtsrv001.houseofnerds.it") into the remote user "chris".
Then i want to become root with "ssh root@mgtsrv001.houseofnerds.it". This is successfull.
The destination_constraint is in all tests
ssh-add -h "mgtsrv001.houseofnerds.it" -h "mgtsrv001.houseofnerds.it>mgtsrv001.houseofnerds.it"
This seems to suggest that the destination_constraints seem to work ok, but sadly i dont know what problem pam_ssh_agent_auth seems to have with the destination_constraint. Additionally i also cant derive IF my destination_constraint is wrong for what i want to do because there are so little examples for the usage of destination_constraints.
/etc/pam.d/sudo-i
root@mgtsrv001:~# cat /etc/pam.d/sudo-i
#%PAM-1.0
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
auth sufficient pam_ssh_agent_auth.so file=/root/.ssh/authorized_keys debug
@include common-auth
@include common-account
@include common-session
root@mgtsrv001:~#
Hi :-)
i wanted to use the "new" OpenSSH Feature destinatin_constraint to limit which keys are being tried in an ssh session with "sudo" in my ansible playbook. Sadly the passwordless sudo via pam_ssh_agent_auth seems to break if i want to use destination_constrains.
Not successfull scenario:
"successfull" scenario without pam_ssh_agent_auth:
The destination_constraint is in all tests
ssh-add -h "mgtsrv001.houseofnerds.it" -h "mgtsrv001.houseofnerds.it>mgtsrv001.houseofnerds.it"
This seems to suggest that the destination_constraints seem to work ok, but sadly i dont know what problem pam_ssh_agent_auth seems to have with the destination_constraint. Additionally i also cant derive IF my destination_constraint is wrong for what i want to do because there are so little examples for the usage of destination_constraints.
/etc/pam.d/sudo-i
Debug Logs
Key Loading
Scenario 1
SSH Log
SSH Agent
Scenario 2
SSH Log
SSH Agent
SSH Host Key Fingerprints (for host key identification in logs)
My Client Desktop
Remote Server
SSH Host Public Keys
My Client Desktop
Remote Server