How to make Shared Keys .ssh/authorized_keys and sudo work together?

What you want to do is possible but it will require some experience as you will have to compile a PAM module called pam-ssh-agent-auth.

The process is reasonably simple:

$ sudo aptitude install libssl-dev libpam0g-dev build-essential checkinstall
$ wget "http://downloads.sourceforge.net/project/pamsshagentauth/pam_ssh_agent_auth/v0.9.3/pam_ssh_agent_auth-0.9.3.tar.bz2"
$ tar -xjvf pam_ssh_agent_auth-0.9.3.tar.bz2
$ cd pam_ssh_agent_auth-0.9.3

$ ./configure --libexecdir=/lib/security --with-mantype=man

$ make
$ sudo checkinstall

The edit the sudo configuration:

$ sudo visudo

Add the following:

Defaults env_keep += SSH_AUTH_SOCK

Continue by changing the sudo PAM settings:

$ sudo vi /etc/pam.d/sudo

Add (just above the @include lines):

**auth [success=2 default=ignore] pam_ssh_agent_auth.so file=~/.ssh/authorized_keys**
@include common-auth
@include common-account

ssh and sudo have nothing to do with each other. Setting up an ssh authentication method isn't going to do anything for sudo. sudo isn't going to understand an ssh password.

passwd -l is intended to lock a user's account, so that he can no longer authenticate by password. That's pretty much the opposite of what you want, which is letting the user authenticate without a password.

I think what you want is the NOPASSWD option in your sudoers file.

(PS, there's no reason to be running a cd command with sudo. cd does not propagate to parent processes, so as soon as the sudo exits, you're back where you started.)

Edit: You keep saying that you want to lock the account password and want sudo to understand public/private keys. Sorry, sudo isn't going to use ssh keys. It isn't ssh. If you don't want users to be able to log in with their passwords, I think the answer is to disable ssh password authentication, not to lock the account. Then you can retain a password for the users, which they can use to sudo after they log in via ssh authorized_keys.


Andre de Miranda's answer provides a nice solution using pam_ssh_agent_auth, but parts are out of date. Particularly the /etc/pam.d/sudo instructions when using many current Linux versions.

If you're running Ubuntu 12.04 precise, I've actually simplified the process by providing a pam_ssh_agent_auth build out of a ppa: ppa:cpick/pam-ssh-agent-auth.

You can install the package by running:

sudo add-apt-repository ppa:cpick/pam-ssh-agent-auth
sudo apt-get install pam-ssh-agent-auth

After installation, if you'd like to use this PAM module with sudo you'll have to configure sudo's settings and PAM configuration, in Ubuntu 12.04 precise you can do that by creating the following two files:

/etc/sudoers.d/pam-ssh-agent-auth :

Defaults    env_keep+="SSH_AUTH_SOCK"

/etc/pam.d/sudo :

ent#%PAM-1.0

auth       required   pam_env.so readenv=1 user_readenv=0
auth       required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
auth       sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys
@include common-auth
@include common-account
@include common-session-noninteractive

If you're using chef, the above process can be automated with my cookbook, found at either of the two following locations:
https://github.com/cpick/pam-ssh-agent-auth
http://community.opscode.com/cookbooks/pam-ssh-agent-auth.

The cookbook's files directory contains the /etc/pam.d/sudo and /etc/sudoers.d/pam-ssh-agent-auth files described above that work with Ubuntu 12.04 precise and should be a helpful starting point when using other versions/distros.