How to make Shared Keys .ssh/authorized_keys and sudo work together?
What you want to do is possible but it will require some experience as you will have to compile a PAM module called pam-ssh-agent-auth.
The process is reasonably simple:
$ sudo aptitude install libssl-dev libpam0g-dev build-essential checkinstall $ wget "http://downloads.sourceforge.net/project/pamsshagentauth/pam_ssh_agent_auth/v0.9.3/pam_ssh_agent_auth-0.9.3.tar.bz2" $ tar -xjvf pam_ssh_agent_auth-0.9.3.tar.bz2 $ cd pam_ssh_agent_auth-0.9.3 $ ./configure --libexecdir=/lib/security --with-mantype=man $ make $ sudo checkinstall
The edit the sudo configuration:
$ sudo visudo
Add the following:
Defaults env_keep += SSH_AUTH_SOCK
Continue by changing the sudo PAM settings:
$ sudo vi /etc/pam.d/sudo
Add (just above the @include lines):
**auth [success=2 default=ignore] pam_ssh_agent_auth.so file=~/.ssh/authorized_keys** @include common-auth @include common-account
sudo have nothing to do with each other. Setting up an
ssh authentication method isn't going to do anything for
sudo isn't going to understand an
passwd -l is intended to lock a user's account, so that he can no longer authenticate by password. That's pretty much the opposite of what you want, which is letting the user authenticate without a password.
I think what you want is the
NOPASSWD option in your
(PS, there's no reason to be running a
cd command with
cd does not propagate to parent processes, so as soon as the
sudo exits, you're back where you started.)
Edit: You keep saying that you want to lock the account password and want sudo to understand public/private keys. Sorry, sudo isn't going to use ssh keys. It isn't ssh. If you don't want users to be able to log in with their passwords, I think the answer is to disable ssh password authentication, not to lock the account. Then you can retain a password for the users, which they can use to sudo after they log in via ssh authorized_keys.
Andre de Miranda's answer provides a nice solution using pam_ssh_agent_auth, but parts are out of date. Particularly the
/etc/pam.d/sudo instructions when using many current Linux versions.
If you're running Ubuntu 12.04 precise, I've actually simplified the process by providing a pam_ssh_agent_auth build out of a ppa: ppa:cpick/pam-ssh-agent-auth.
You can install the package by running:
sudo add-apt-repository ppa:cpick/pam-ssh-agent-auth sudo apt-get install pam-ssh-agent-auth
After installation, if you'd like to use this PAM module with sudo you'll have to configure sudo's settings and PAM configuration, in Ubuntu 12.04 precise you can do that by creating the following two files:
ent#%PAM-1.0 auth required pam_env.so readenv=1 user_readenv=0 auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0 auth sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys @include common-auth @include common-account @include common-session-noninteractive
If you're using chef, the above process can be automated with my cookbook, found at either of the two following locations:
files directory contains the
/etc/sudoers.d/pam-ssh-agent-auth files described above that work with Ubuntu 12.04 precise and should be a helpful starting point when using other versions/distros.