Developers Blog

Blog > Sudo authentication with libpam-ssh-agent

on Sep 28, 2010

With virtualization environments, a simple infrastructure contains easily 15/20 hosts. Administrators often have to perform operations across several hosts. One of the consequences : a (good) administrator has to input his passwords to “unlock” sudo several dozen times per day.

There are many bad solutions. Good ones are not so numerous. We’re testing one of them for 2 weeks : libpam-ssh-agent or pam ssh agent auth (its original name).

The principle is simple : you’re already using a password-less authentication for ssh. libpam-ssh-agent provides a solution to use this mechanism in every pam configuration. It looks like a real good solution for sudo authentication.

Configure libpam-ssh-agent

A small example with your laptop and one of your servers : your ssh dsa/rsa private/public key pair is on your laptop, it has a strong passphrase (or … create a new one !). A ssh-agent allows you to enter this passphrase less frequently.

On your server, install libpam-ssh-agent. The libpam-ssh-agent debian packages are available in our repository :

apt-get install libpam-ssh-agent

Change the server sudo pam configuration /etc/pam.d/sudo to authenticate users via pam_ssh_agent_auth :

auth sufficient file=~/.ssh/authorized_keys
auth requisite nullok_secure

@include common-account

session required
session required

In this configuration, each user can authorize its own keys. If you don’t trust them enough, use a file managed by you (like /etc/security/authorized_keys).

Allow the ssh authentication socket to be accessible in the a sudo environment by adding this line in the server /etc/sudoers :

Defaults env_keep += SSH_AUTH_SOCK

Here is the puppet snippet for this server configuration.

Use libpam-ssh-agent

Connect you to the server from your laptop by forwarding the connection to the authentication agent (the -A ssh option) :

laptop$ ssh -A your.server.tld

A sudo should not ask your password (if needed, use sudo -K to clear our time stamp) :

server$ sudo /bin/true

Sudo should use pam_ssh_agent_auth to authenticate you :

server$ tail /var/log/auth.log
Sep 28 21:13:58 www sudo[30348]: pam_ssh_agent_auth: Authenticated: ...

Into your ~/.ssh/config, you can add :

Host *.myservers.priv
ForwardAgent yes

Ssh agent

Most environments (KDE, Gnome, etc) provide ssh agent implementations (with nice graphical interface or not).

Choose a smart timeout to keep your key(s) safe when your laptop is alone during your coffee pause.

Read this dpkg’s post You should be using ssh-agent on Debian Administration.

libpam-ssh-agent debian package

The libpam-ssh-agent isn’t provided by Debian (or Ubuntu) for the moment (see ITP #595817).

But we created a first package. libpam-ssh-agent binaries are available for lenny i386 and amd64 on

The package sources are available in this git repository.

Create an ssh key …

If you need to create a (new) ssh key, backup existing one :

$ rename 's/(.*)/$1.bak/' ~/.ssh/id_[rd]sa*

To create a new DSA key :

$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in ~/.ssh/id_dsa.
Your public key has been saved in ~/.ssh/
The key fingerprint is:
5e:9f:8c:b4:84:57:5b:23:67:18:37:57:6e:d8:27:2d alban@hyppo
The key's randomart image is:
+--[ DSA 1024]----+
|            . o +|
|             + B |
|            + E *|
|         . . * =.|
|        S = .    |
|       . = = .   |
|        . o +    |
|                 |
|                 |

If needed, you can use the previous key by using the -i ssh options :

ssh -i ~/.ssh/id_rsa.bak ...