Difficulties setting up pam_ssh_agent_auth

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Difficulties setting up pam_ssh_agent_auth

Rory Campbell-Lange
I'm having trouble setting up pam_ssh_agent_auth.so, which allows users
with authenticated public keys to sudo.

cat /etc/pam.d/sudo
    auth     sufficient    pam_ssh_agent_auth.so file=/etc/security/authorized_keys
    @include common-auth
    @include common-account
    @include common-session-noninteractive

/var/log/auth/log
    Apr  8 06:53:54 localhost sudo[23924]: pam_ssh_agent_auth: matching key found: file/command /etc/security/authorized_keys, line 7                                                                  
    Apr  8 06:53:54 localhost sudo[23924]: pam_ssh_agent_auth: Found matching RSA key: a5:36:xx:f5:xx:9f:xx:20:6a:d9:87:98:4a:4b:10:6a                                                                  
    Apr  8 06:53:54 localhost sudo[23924]: pam_ssh_agent_auth: Authenticated: `it' as `it' using /etc/security/authorized_keys                                                                          
    Apr  8 06:53:54 localhost sudo:       it : user NOT in sudoers ; TTY=pts/1 ; PWD=/home/it ; USER=root ; COMMAND=/usr/bin/ls

user:
    it@localhost:~$ sudo ls
    it is not in the sudoers file.  This incident will be reported.

It looks like the pam configuration is incorrect, although I'm using the
configuration recommended in the README.

Changing the auth line in /etc/pam.d/sudo to

    auth     [success=3 default=ignore] pam_ssh_agent_auth.so file=/etc/security/authorized_keys
   
Has this effect:

    it@localhost:~$ sudo ls
    Sorry, try again.
    Sorry, try again.
    sudo: 3 incorrect password attempts

Assistance gratefully received
Rory


Reply | Threaded
Open this post in threaded view
|

Re: Difficulties setting up pam_ssh_agent_auth

john doe-6
On 4/8/2020 9:20 AM, Rory Campbell-Lange wrote:

> I'm having trouble setting up pam_ssh_agent_auth.so, which allows users
> with authenticated public keys to sudo.
>
> cat /etc/pam.d/sudo
>     auth     sufficient    pam_ssh_agent_auth.so file=/etc/security/authorized_keys
>     @include common-auth
>     @include common-account
>     @include common-session-noninteractive
>
> /var/log/auth/log
>     Apr  8 06:53:54 localhost sudo[23924]: pam_ssh_agent_auth: matching key found: file/command /etc/security/authorized_keys, line 7
>     Apr  8 06:53:54 localhost sudo[23924]: pam_ssh_agent_auth: Found matching RSA key: a5:36:xx:f5:xx:9f:xx:20:6a:d9:87:98:4a:4b:10:6a
>     Apr  8 06:53:54 localhost sudo[23924]: pam_ssh_agent_auth: Authenticated: `it' as `it' using /etc/security/authorized_keys
>     Apr  8 06:53:54 localhost sudo:       it : user NOT in sudoers ; TTY=pts/1 ; PWD=/home/it ; USER=root ; COMMAND=/usr/bin/ls
>
> user:
>     it@localhost:~$ sudo ls
>     it is not in the sudoers file.  This incident will be reported.
>

Did the user in question is in the sudoers file?

Try the following line in /etc/sudoers.d/ssh
user ALL=(ALL) ALL


Where 'user' is the name of the SSH user.

If it works, you should restrick the above line.

--
John Doe

Reply | Threaded
Open this post in threaded view
|

Re: Difficulties setting up pam_ssh_agent_auth

Rory Campbell-Lange
On 08/04/20, john doe ([hidden email]) wrote:
> On 4/8/2020 9:20 AM, Rory Campbell-Lange wrote:
> > I'm having trouble setting up pam_ssh_agent_auth.so, which allows users
> > with authenticated public keys to sudo.

> Did the user in question is in the sudoers file?
>
> Try the following line in /etc/sudoers.d/ssh
> user ALL=(ALL) ALL

Thanks for the suggestion. I was under the impression that no sudoers
line was required, but I was wrong. The following configuration, for
example:

    IT      ALL=ALL

gives users in the IT User_Alias the ability to run any command as root,
but have to first authenticate. The authentication comes from
pam_ssh_agent_auth.

Thanks very much
Rory