Using SSH agent for sudo

Problem

Logging into machines with SSH, then typing in a password to use sudo has a bunch of problems:

• It means I need to remember passwords for all these machines.
• I need to rotate the passwords from time to time.
• If the machine is compromised, then they can trivially get the password.
• I'm entering passwords locally, if someone can see/film my keyboard, they can learn the passwords for the machines.
• The machines need to have some secret material on them, making it hard to reproduce their state from public sources (e.g. a public git repository).

Solution

Use ssh keys for login, and pam_ssh_agent_auth for sudo.

Step one:

Add to the top of /etc/pam.d/sudo:

auth     sufficient    pam_ssh_agent_auth.so file=/etc/security/authorized_keys

This means have ssh agent auth check /etc/security/authorized_keys for the ssh keys to use, and if it succeeds, then consider that sufficient to authenticate the user, and skip all further steps (e.g. asking for a password).

Step two:

sudo will normally strip out SSH_AUTH_SOCK from the environment, which breaks ssh agent auth. This can be fixed by adding the line:

Defaults        env_keep += "SSH_AUTH_SOCK"

Caveats, troubleshooting, and tips.

• It still prompts me for a password.

  • Did you set sudo to preserve the SSH_AUTH_SOCK environment variable?
  • Did you remember to forward your agent?

• I don't believe ssh agent auth supports ssh certificates, which is a bit of a bummer.

• Using ~/.ssh/authorized_keys uses the source user's not the destination user's authorized keys file. This means that if the source user is compromised, then the attacker can just add their key, then sudo, avoiding the protections.

• When combined with ssh-add -c on the client side, and a useful /usr/bin/ssh-askpass (there are several in debian, or just write a shell wrapper around zenity), then you can make sure that noone is stealing your agent if ssh'd into a compromised machine.

• I suspect, but have not experimented, that this works fantastically with a yubikey, with requiring a touch to authorize a key, this would probably work better than using ssh-add -c above.