From owner-freebsd-questions@FreeBSD.ORG Mon Dec 12 21:56:57 2011 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79655106566B for ; Mon, 12 Dec 2011 21:56:57 +0000 (UTC) (envelope-from linnemannr@gmail.com) Received: from mail-pz0-f54.google.com (mail-pz0-f54.google.com [209.85.210.54]) by mx1.freebsd.org (Postfix) with ESMTP id 527C68FC19 for ; Mon, 12 Dec 2011 21:56:54 +0000 (UTC) Received: by dakp5 with SMTP id p5so7562714dak.13 for ; Mon, 12 Dec 2011 13:56:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=QDycGl5xdnsFZeGxWTE3qRxzSQB6c4+zSDalN+AHO5M=; b=WJmRD8ydVX1nQpVKwdeBccBdIHee4kQqSxNep4FIsu++OMYKz7b8+aJe5S5n4QHgU+ Nbz/ob5eelLWCZFWQXfqUYkrJe0t04sa94eQgHMzKjn204Mo8kh7HJSdqKZFOUrvJax0 3vENIBcFLO9TRGDBskvi06HzalDBkQILveSeA= MIME-Version: 1.0 Received: by 10.68.72.100 with SMTP id c4mr37962244pbv.55.1323725668754; Mon, 12 Dec 2011 13:34:28 -0800 (PST) Sender: linnemannr@gmail.com Received: by 10.142.195.13 with HTTP; Mon, 12 Dec 2011 13:34:28 -0800 (PST) In-Reply-To: <20111208164533.GA67774@bewilderbeast.blackhelicopters.org> References: <20111208164533.GA67774@bewilderbeast.blackhelicopters.org> Date: Mon, 12 Dec 2011 15:34:28 -0600 X-Google-Sender-Auth: 20lJU5qqHdwnCQXAb9SAQo8Yi3Y Message-ID: From: Reid Linnemann To: "Michael W. Lucas" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: questions@freebsd.org Subject: Re: PAM confusion X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Dec 2011 21:56:57 -0000 On Thu, Dec 8, 2011 at 10:45 AM, Michael W. Lucas wrote: > Hi, > > I'm attempting to hook security/pam_ssh_agent_auth into sudo, and have > learned that PAM doesn't work the way I thought it did. > > I'm running FreeBSD-9/i386, with sudo 1.7.2.6. > > My goal is that sudo pass all auth requests back to the users' SSH > agent. =A0Sudo should never use passwords for authentication. If the > user doesn't have an SSH agent, or if the SSH agent breaks somehow, > the sudo request is denied. > > With my current config, sudo requests are accepted without a password > even if the users' environment has no $SSH_AUTH_SOCK. I'm obviously > doing something wrong. > > Here's my pam.d/sudo. I removed password settings and required the > pam_ssh_agent_auth library. > > --- > #auth =A0 =A0 =A0 =A0 =A0 include =A0 =A0 =A0 =A0 system > auth =A0 =A0 =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0/usr/local/lib/pam_ss= h_agent_auth.so file=3D~/.ssh/authorized\ > _keys > > # account > account =A0 =A0 =A0 =A0 include =A0 =A0 =A0 =A0 system > > # session > # XXX: pam_lastlog (used in system) causes users to appear as though > # they are no longer logged in in system logs. > session =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_permit.so > > # password > #password =A0 =A0 =A0 include =A0 =A0 =A0 =A0 system > --- > > Any suggestions what I'm doing wrong? > > Thanks, > =3D=3Dml > > -- > Michael W. Lucas > http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ > Latest book: Network Flow Analysis http://www.networkflowanalysis.com/ > mwlucas@BlackHelicopters.org, Twitter @mwlauthor Make sure your sudoers file has Defaults env_keep +=3D "SSH_AUTH_SOCK" Also, make sure your matching rule for your user doesn't have NOPASSWD set. It seems that since you've already authenticated to the system, sudo still knows the user and/or group credentials without the pam module's help - all it does is authenticate the public and private keys. If you have NOPASSWD, sudo doesn't even think it needs to refer to the authentication mechanism because according to sudoers it needs no password for the user issuing the request.