From owner-freebsd-questions@FreeBSD.ORG  Tue Dec 13 14:09:48 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 723B8106566B
	for <questions@freebsd.org>; Tue, 13 Dec 2011 14:09:48 +0000 (UTC)
	(envelope-from mwlucas@bewilderbeast.blackhelicopters.org)
Received: from bewilderbeast.blackhelicopters.org
	(mwlucas-2-pt.tunnel.tserv9.chi1.ipv6.he.net
	[IPv6:2001:470:1f10:b9c::2])
	by mx1.freebsd.org (Postfix) with ESMTP id 4110E8FC08
	for <questions@freebsd.org>; Tue, 13 Dec 2011 14:09:48 +0000 (UTC)
Received: from bewilderbeast.blackhelicopters.org (localhost [127.0.0.1])
	by bewilderbeast.blackhelicopters.org (8.14.4/8.14.5) with ESMTP id
	pBDE9lWG094993; Tue, 13 Dec 2011 09:09:47 -0500 (EST)
	(envelope-from mwlucas@bewilderbeast.blackhelicopters.org)
Received: (from mwlucas@localhost)
	by bewilderbeast.blackhelicopters.org (8.14.4/8.14.5/Submit) id
	pBDE9lhF094992; Tue, 13 Dec 2011 09:09:47 -0500 (EST)
	(envelope-from mwlucas)
Date: Tue, 13 Dec 2011 09:09:47 -0500
From: "Michael W. Lucas" <mwlucas@blackhelicopters.org>
To: Reid Linnemann <lreid@webmail.cs.okstate.edu>
Message-ID: <20111213140947.GB94954@bewilderbeast.blackhelicopters.org>
References: <20111208164533.GA67774@bewilderbeast.blackhelicopters.org>
	<CA+0MdpOtsT1Vk-7mT9bt5GL2o5FXOKTBy2hnavfM1C21vFLAiw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CA+0MdpOtsT1Vk-7mT9bt5GL2o5FXOKTBy2hnavfM1C21vFLAiw@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.6
	(bewilderbeast.blackhelicopters.org [127.0.0.1]);
	Tue, 13 Dec 2011 09:09:47 -0500 (EST)
Cc: questions@freebsd.org
Subject: Re: PAM confusion
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Dec 2011 14:09:48 -0000

On Mon, Dec 12, 2011 at 03:34:28PM -0600, Reid Linnemann wrote:
> On Thu, Dec 8, 2011 at 10:45 AM, Michael W. Lucas
> <mwlucas@blackhelicopters.org> wrote:
> > Hi,
> >
> > I'm attempting to hook security/pam_ssh_agent_auth into sudo, and have
> > learned that PAM doesn't work the way I thought it did.
> >
> > I'm running FreeBSD-9/i386, with sudo 1.7.2.6.
> >
> > My goal is that sudo pass all auth requests back to the users' SSH
> > agent. ?Sudo should never use passwords for authentication. If the
> > user doesn't have an SSH agent, or if the SSH agent breaks somehow,
> > the sudo request is denied.
> >
> > With my current config, sudo requests are accepted without a password
> > even if the users' environment has no $SSH_AUTH_SOCK. I'm obviously
> > doing something wrong.
> >
> > Here's my pam.d/sudo. I removed password settings and required the
> > pam_ssh_agent_auth library.
> >
> > ---
> > #auth ? ? ? ? ? include ? ? ? ? system
> > auth ? ? ? ? ? ?required ? ? ? ?/usr/local/lib/pam_ssh_agent_auth.so file=~/.ssh/authorized\
> > _keys
> >
> > # account
> > account ? ? ? ? include ? ? ? ? system
> >
> > # session
> > # XXX: pam_lastlog (used in system) causes users to appear as though
> > # they are no longer logged in in system logs.
> > session ? ? ? ? required ? ? ? ?pam_permit.so
> >
> > # password
> > #password ? ? ? include ? ? ? ? system
> > ---
> >
> > Any suggestions what I'm doing wrong?
> >
> > Thanks,
> > ==ml
> >
> > --
> > Michael W. Lucas
> > http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
> > Latest book: Network Flow Analysis http://www.networkflowanalysis.com/
> > mwlucas@BlackHelicopters.org, Twitter @mwlauthor
> 
> Make sure your sudoers file has
> 
> Defaults env_keep += "SSH_AUTH_SOCK"
> 
> Also, make sure your matching rule for your user doesn't have NOPASSWD
> set. It seems that since you've already authenticated to the system,
> sudo still knows the user and/or group credentials without the pam
> module's help - all it does is authenticate the public and private
> keys. If you have NOPASSWD, sudo doesn't even think it needs to refer
> to the authentication mechanism because according to sudoers it needs
> no password for the user issuing the request.

Hi,

Thanks for answering!

Turns out my problem was that sudo caches the last time the user
authenticated.

For future reference, I blogged how to set this up at
http://blather.michaelwlucas.com/archives/1106

==ml

-- 
Michael W. Lucas 	
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Latest book: Network Flow Analysis http://www.networkflowanalysis.com/
mwlucas@BlackHelicopters.org, Twitter @mwlauthor