Using SSH agent for sudo


Logging into machines with SSH, then typing in a password to use sudo has a bunch of problems:


Use ssh keys for login, and pam_ssh_agent_auth for sudo.

Step one:

Add to the top of /etc/pam.d/sudo:

auth     sufficient file=/etc/security/authorized_keys

This means have ssh agent auth check /etc/security/authorized_keys for the ssh keys to use, and if it succeeds, then consider that sufficient to authenticate the user, and skip all further steps (e.g. asking for a password).

Step two:

sudo will normally strip out SSH_AUTH_SOCK from the environment, which breaks ssh agent auth. This can be fixed by adding the line:

Defaults        env_keep += "SSH_AUTH_SOCK"

Caveats, troubleshooting, and tips.