On Mon, Dec 12, 2011 at 03:34:28PM -0600, Reid Linnemann wrote: > On Thu, Dec 8, 2011 at 10:45 AM, Michael W. Lucas > <mwlu...@blackhelicopters.org> wrote: > > Hi, > > > > I'm attempting to hook security/pam_ssh_agent_auth into sudo, and have > > learned that PAM doesn't work the way I thought it did. > > > > I'm running FreeBSD-9/i386, with sudo 1.7.2.6. > > > > My goal is that sudo pass all auth requests back to the users' SSH > > agent. ?Sudo should never use passwords for authentication. If the > > user doesn't have an SSH agent, or if the SSH agent breaks somehow, > > the sudo request is denied. > > > > With my current config, sudo requests are accepted without a password > > even if the users' environment has no $SSH_AUTH_SOCK. I'm obviously > > doing something wrong. > > > > Here's my pam.d/sudo. I removed password settings and required the > > pam_ssh_agent_auth library. > > > > --- > > #auth ? ? ? ? ? include ? ? ? ? system > > auth ? ? ? ? ? ?required ? ? ? ?/usr/local/lib/pam_ssh_agent_auth.so > > file=~/.ssh/authorized\ > > _keys > > > > # account > > account ? ? ? ? include ? ? ? ? system > > > > # session > > # XXX: pam_lastlog (used in system) causes users to appear as though > > # they are no longer logged in in system logs. > > session ? ? ? ? required ? ? ? ?pam_permit.so > > > > # password > > #password ? ? ? include ? ? ? ? system > > --- > > > > Any suggestions what I'm doing wrong? > > > > Thanks, > > ==ml > > > > -- > > Michael W. Lucas > > http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ > > Latest book: Network Flow Analysis http://www.networkflowanalysis.com/ > > mwlu...@blackhelicopters.org, Twitter @mwlauthor > > Make sure your sudoers file has > > Defaults env_keep += "SSH_AUTH_SOCK" > > Also, make sure your matching rule for your user doesn't have NOPASSWD > set. It seems that since you've already authenticated to the system, > sudo still knows the user and/or group credentials without the pam > module's help - all it does is authenticate the public and private > keys. If you have NOPASSWD, sudo doesn't even think it needs to refer > to the authentication mechanism because according to sudoers it needs > no password for the user issuing the request.
Hi, Thanks for answering! Turns out my problem was that sudo caches the last time the user authenticated. For future reference, I blogged how to set this up at http://blather.michaelwlucas.com/archives/1106 ==ml -- Michael W. Lucas http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Latest book: Network Flow Analysis http://www.networkflowanalysis.com/ mwlu...@blackhelicopters.org, Twitter @mwlauthor _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"