Setting up PAM SSH agent authentication for sudo login

$byte\schneiderei$

Published in

byte\schneiderei

2 min readAug 28, 2017

Setting up your Ubuntu server

For security reasons it is good to disable password based login and use ssh keys instead. As long you are using the root user this works fine. If you want to use regular user accounts you will soon have the problem that the sudo prompt wants a password as authorization. I use the pam_ssh_agent_auth package with ssh keys instead.

1. Install required software

First you have to install following packages from the Ubuntu repo to be able to build the pam_ssh_agent_auth archive.

$ sudo apt-get install build-essential checkinstall libssl-dev libpam0g-dev

2. Download and install pam_ssh_agent_auth

Then you need the latest version of the archive. When I wrote this article 0.10.3 was the latest one.

$ wget “http://downloads.sourceforge.net/project/pamsshagentauth/pam_ssh_agent_auth/v0.10.3/pam_ssh_agent_auth-0.10.3.tar.bz2" -P /tmp
tar -xjvf pam_ssh_agent_auth-0.10.3.tar.bz2

Next you have to configure it and create a Makefile:

$ /tmp/pam_ssh_agent_auth-0.10.3/configure — libexecdir=/lib/security — with-mantype=man

Now you can build and install the pam_ssh_agent_auth:

$ cd /tmp
$ make
$ sudo checkinstall

Now the package is installed on your server. As the last two steps you have to configure sudo to use this package. Open /etc/pam.d/sudo and add following:

#%PAM-1.0
auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys
auth required pam_env.so readenv=1 user_readenv=0
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
…..

Instead of the key file in the user directory you can also create a global used authorized_keys file under /etc/security/authorized_keys for example.

As the last step you have to add following to /etc/sudoers using visudo command: