Date: Tue, 13 Dec 2011 09:09:47 -0500 From: "Michael W. Lucas" <mwlucas@blackhelicopters.org> To: Reid Linnemann <lreid@webmail.cs.okstate.edu> Cc: questions@freebsd.org Subject: Re: PAM confusion Message-ID: <20111213140947.GB94954@bewilderbeast.blackhelicopters.org> In-Reply-To: <CA%2B0MdpOtsT1Vk-7mT9bt5GL2o5FXOKTBy2hnavfM1C21vFLAiw@mail.gmail.com> References: <20111208164533.GA67774@bewilderbeast.blackhelicopters.org> <CA%2B0MdpOtsT1Vk-7mT9bt5GL2o5FXOKTBy2hnavfM1C21vFLAiw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 12, 2011 at 03:34:28PM -0600, Reid Linnemann wrote: > On Thu, Dec 8, 2011 at 10:45 AM, Michael W. Lucas > <mwlucas@blackhelicopters.org> wrote: > > Hi, > > > > I'm attempting to hook security/pam_ssh_agent_auth into sudo, and have > > learned that PAM doesn't work the way I thought it did. > > > > I'm running FreeBSD-9/i386, with sudo 1.7.2.6. > > > > My goal is that sudo pass all auth requests back to the users' SSH > > agent. ?Sudo should never use passwords for authentication. If the > > user doesn't have an SSH agent, or if the SSH agent breaks somehow, > > the sudo request is denied. > > > > With my current config, sudo requests are accepted without a password > > even if the users' environment has no $SSH_AUTH_SOCK. I'm obviously > > doing something wrong. > > > > Here's my pam.d/sudo. I removed password settings and required the > > pam_ssh_agent_auth library. > > > > --- > > #auth ? ? ? ? ? include ? ? ? ? system > > auth ? ? ? ? ? ?required ? ? ? ?/usr/local/lib/pam_ssh_agent_auth.so file=~/.ssh/authorized\ > > _keys > > > > # account > > account ? ? ? ? include ? ? ? ? system > > > > # session > > # XXX: pam_lastlog (used in system) causes users to appear as though > > # they are no longer logged in in system logs. > > session ? ? ? ? required ? ? ? ?pam_permit.so > > > > # password > > #password ? ? ? include ? ? ? ? system > > --- > > > > Any suggestions what I'm doing wrong? > > > > Thanks, > > ==ml > > > > -- > > Michael W. Lucas > > http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ > > Latest book: Network Flow Analysis http://www.networkflowanalysis.com/ > > mwlucas@BlackHelicopters.org, Twitter @mwlauthor > > Make sure your sudoers file has > > Defaults env_keep += "SSH_AUTH_SOCK" > > Also, make sure your matching rule for your user doesn't have NOPASSWD > set. It seems that since you've already authenticated to the system, > sudo still knows the user and/or group credentials without the pam > module's help - all it does is authenticate the public and private > keys. If you have NOPASSWD, sudo doesn't even think it needs to refer > to the authentication mechanism because according to sudoers it needs > no password for the user issuing the request. Hi, Thanks for answering! Turns out my problem was that sudo caches the last time the user authenticated. For future reference, I blogged how to set this up at http://blather.michaelwlucas.com/archives/1106 ==ml -- Michael W. Lucas http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Latest book: Network Flow Analysis http://www.networkflowanalysis.com/ mwlucas@BlackHelicopters.org, Twitter @mwlauthor
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111213140947.GB94954>