How to make Shared Keys .ssh/authorized_keys and sudo work together?
What you want to do is possible but it will require some experience as you will have to compile a PAM module called pam-ssh-agent-auth.
The process is reasonably simple:
$ sudo aptitude install libssl-dev libpam0g-dev build-essential checkinstall
$ wget "http://downloads.sourceforge.net/project/pamsshagentauth/pam_ssh_agent_auth/v0.9.3/pam_ssh_agent_auth-0.9.3.tar.bz2"
$ tar -xjvf pam_ssh_agent_auth-0.9.3.tar.bz2
$ cd pam_ssh_agent_auth-0.9.3
$ ./configure --libexecdir=/lib/security --with-mantype=man
$ make
$ sudo checkinstall
The edit the sudo configuration:
$ sudo visudo
Add the following:
Defaults env_keep += SSH_AUTH_SOCK
Continue by changing the sudo PAM settings:
$ sudo vi /etc/pam.d/sudo
Add (just above the @include lines):
**auth [success=2 default=ignore] pam_ssh_agent_auth.so file=~/.ssh/authorized_keys**
@include common-auth
@include common-account
ssh
and sudo
have nothing to do with each other. Setting up an ssh
authentication method isn't going to do anything for sudo
. sudo
isn't going to understand an ssh
password.
passwd -l
is intended to lock a user's account, so that he can no longer authenticate by password. That's pretty much the opposite of what you want, which is letting the user authenticate without a password.
I think what you want is the NOPASSWD
option in your sudoers
file.
(PS, there's no reason to be running a cd
command with sudo
. cd
does not propagate to parent processes, so as soon as the sudo
exits, you're back where you started.)
Edit: You keep saying that you want to lock the account password and want sudo to understand public/private keys. Sorry, sudo isn't going to use ssh keys. It isn't ssh. If you don't want users to be able to log in with their passwords, I think the answer is to disable ssh password authentication, not to lock the account. Then you can retain a password for the users, which they can use to sudo after they log in via ssh authorized_keys.
Andre de Miranda's answer provides a nice solution using pam_ssh_agent_auth, but parts are out of date. Particularly the /etc/pam.d/sudo
instructions when using many current Linux versions.
If you're running Ubuntu 12.04 precise, I've actually simplified the process by providing a pam_ssh_agent_auth build out of a ppa: ppa:cpick/pam-ssh-agent-auth.
You can install the package by running:
sudo add-apt-repository ppa:cpick/pam-ssh-agent-auth
sudo apt-get install pam-ssh-agent-auth
After installation, if you'd like to use this PAM module with sudo you'll have to configure sudo's settings and PAM configuration, in Ubuntu 12.04 precise you can do that by creating the following two files:
/etc/sudoers.d/pam-ssh-agent-auth :
Defaults env_keep+="SSH_AUTH_SOCK"
/etc/pam.d/sudo :
ent#%PAM-1.0
auth required pam_env.so readenv=1 user_readenv=0
auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
auth sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys
@include common-auth
@include common-account
@include common-session-noninteractive
If you're using chef, the above process can be automated with my cookbook, found at either of the two following locations:
https://github.com/cpick/pam-ssh-agent-auth
http://community.opscode.com/cookbooks/pam-ssh-agent-auth.
The cookbook's files
directory contains the /etc/pam.d/sudo
and /etc/sudoers.d/pam-ssh-agent-auth
files described above that work with Ubuntu 12.04 precise and should be a helpful starting point when using other versions/distros.