Date: Mon, 12 Dec 2011 15:34:28 -0600 From: Reid Linnemann <lreid@cs.okstate.edu> To: "Michael W. Lucas" <mwlucas@blackhelicopters.org> Cc: questions@freebsd.org Subject: Re: PAM confusion Message-ID: <CA%2B0MdpOtsT1Vk-7mT9bt5GL2o5FXOKTBy2hnavfM1C21vFLAiw@mail.gmail.com> In-Reply-To: <20111208164533.GA67774@bewilderbeast.blackhelicopters.org> References: <20111208164533.GA67774@bewilderbeast.blackhelicopters.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 8, 2011 at 10:45 AM, Michael W. Lucas <mwlucas@blackhelicopters.org> wrote: > Hi, > > I'm attempting to hook security/pam_ssh_agent_auth into sudo, and have > learned that PAM doesn't work the way I thought it did. > > I'm running FreeBSD-9/i386, with sudo 1.7.2.6. > > My goal is that sudo pass all auth requests back to the users' SSH > agent. =A0Sudo should never use passwords for authentication. If the > user doesn't have an SSH agent, or if the SSH agent breaks somehow, > the sudo request is denied. > > With my current config, sudo requests are accepted without a password > even if the users' environment has no $SSH_AUTH_SOCK. I'm obviously > doing something wrong. > > Here's my pam.d/sudo. I removed password settings and required the > pam_ssh_agent_auth library. > > --- > #auth =A0 =A0 =A0 =A0 =A0 include =A0 =A0 =A0 =A0 system > auth =A0 =A0 =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0/usr/local/lib/pam_ss= h_agent_auth.so file=3D~/.ssh/authorized\ > _keys > > # account > account =A0 =A0 =A0 =A0 include =A0 =A0 =A0 =A0 system > > # session > # XXX: pam_lastlog (used in system) causes users to appear as though > # they are no longer logged in in system logs. > session =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_permit.so > > # password > #password =A0 =A0 =A0 include =A0 =A0 =A0 =A0 system > --- > > Any suggestions what I'm doing wrong? > > Thanks, > =3D=3Dml > > -- > Michael W. Lucas > http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ > Latest book: Network Flow Analysis http://www.networkflowanalysis.com/ > mwlucas@BlackHelicopters.org, Twitter @mwlauthor Make sure your sudoers file has Defaults env_keep +=3D "SSH_AUTH_SOCK" Also, make sure your matching rule for your user doesn't have NOPASSWD set. It seems that since you've already authenticated to the system, sudo still knows the user and/or group credentials without the pam module's help - all it does is authenticate the public and private keys. If you have NOPASSWD, sudo doesn't even think it needs to refer to the authentication mechanism because according to sudoers it needs no password for the user issuing the request.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2B0MdpOtsT1Vk-7mT9bt5GL2o5FXOKTBy2hnavfM1C21vFLAiw>