February 12, 2011

painless `sudo` invokation

For quite some time now I’ve been working as an administrator to keep servers up and running. What bugs me most is remembering all those different root passwords, which at least need to be typed in once, after a remote ssh session has been started - to launch an interactive sudo shell via sudo -i.

I used to store all these passwords in a note in my 1Password keychain - a safe solution, yet one that requires too much work to retrieve a password if I wanted to work on a server. That’s why I was extremely pleased when by coincidence I found a pam module which makes use of your ssh agent for sudo authentication. It’s called pam_ssh_agent_auth.

Until now I’ve tried to get the module running on two different servers. The first server is a x86 Ubuntu 10.04 LTS server, hosted by Linode, the second a OpenSuse 10.3 x86_64 hosted by 1und1. The installation was really painless on both machines, following a guide I found on blogspot. For pam_ssh_agent_auth to work you have to forward your SSH agent. That’s the only drawback I’ve found out so far.

Here are the important steps for getting pam_ssh_agent_auth to work on x86 Ubuntu 10.04 LTS, according to the guide linked below:

  1. $ sudo apt-get install libpam0g-dev libssl-dev

  2. download, extract and unzip the latest version of pam_ssh_agent_auth (v0.9.2 as of 11-02-12)

  3. cd into the directory

  4. $ ./configure; make

  5. $ sudo make libexecdir=/lib/security install

  6. replace /etc/pam.d/sudo content with

    auth required pam_ssh_agent_auth.so
    file=/etc/security/authorized_keys

  7. add public keys for sudo-enabled users to /etc/security/authorized_keys

  8. update /etc/sudoers add

    Defaults env_keep += SSH_AUTH_SOCK

Note if you want to make this work on a x86_64 Ubuntu, you’ll most likely have to change step 5 to sudo make libexecdir=/lib64/security install. If you feel like trying out the pam module you should read the blogspot guide, as it describes the module a little bit more in depth. If you are having trouble getting the pam module to work you should add debug to the line added in step 6 and watch out for messages in /var/log/syslog. If you want pam_ssh_agent_auth to work alongside password based logins make sure to bring lots of coffee, because the configuration is somewhat painful. If you have any suggestions on how to get this working make sure to send me an email ;)

My punchline is that if you are running an Ubuntu based server and want to be able to use sudo without having to type in yet another password, install pam_ssh_agent_auth and enjoy your much-easier time as an administrator:

$ ssh example.com -A
example.com $ sudo echo "yaaay"

Related links:

© Raphael Randschau 2010 - 2022 | Impressum