From owner-freebsd-questions@FreeBSD.ORG Tue Dec 13 14:09:48 2011 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 723B8106566B for ; Tue, 13 Dec 2011 14:09:48 +0000 (UTC) (envelope-from mwlucas@bewilderbeast.blackhelicopters.org) Received: from bewilderbeast.blackhelicopters.org (mwlucas-2-pt.tunnel.tserv9.chi1.ipv6.he.net [IPv6:2001:470:1f10:b9c::2]) by mx1.freebsd.org (Postfix) with ESMTP id 4110E8FC08 for ; Tue, 13 Dec 2011 14:09:48 +0000 (UTC) Received: from bewilderbeast.blackhelicopters.org (localhost [127.0.0.1]) by bewilderbeast.blackhelicopters.org (8.14.4/8.14.5) with ESMTP id pBDE9lWG094993; Tue, 13 Dec 2011 09:09:47 -0500 (EST) (envelope-from mwlucas@bewilderbeast.blackhelicopters.org) Received: (from mwlucas@localhost) by bewilderbeast.blackhelicopters.org (8.14.4/8.14.5/Submit) id pBDE9lhF094992; Tue, 13 Dec 2011 09:09:47 -0500 (EST) (envelope-from mwlucas) Date: Tue, 13 Dec 2011 09:09:47 -0500 From: "Michael W. Lucas" To: Reid Linnemann Message-ID: <20111213140947.GB94954@bewilderbeast.blackhelicopters.org> References: <20111208164533.GA67774@bewilderbeast.blackhelicopters.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.6 (bewilderbeast.blackhelicopters.org [127.0.0.1]); Tue, 13 Dec 2011 09:09:47 -0500 (EST) Cc: questions@freebsd.org Subject: Re: PAM confusion X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2011 14:09:48 -0000 On Mon, Dec 12, 2011 at 03:34:28PM -0600, Reid Linnemann wrote: > On Thu, Dec 8, 2011 at 10:45 AM, Michael W. Lucas > wrote: > > Hi, > > > > I'm attempting to hook security/pam_ssh_agent_auth into sudo, and have > > learned that PAM doesn't work the way I thought it did. > > > > I'm running FreeBSD-9/i386, with sudo 1.7.2.6. > > > > My goal is that sudo pass all auth requests back to the users' SSH > > agent. ?Sudo should never use passwords for authentication. If the > > user doesn't have an SSH agent, or if the SSH agent breaks somehow, > > the sudo request is denied. > > > > With my current config, sudo requests are accepted without a password > > even if the users' environment has no $SSH_AUTH_SOCK. I'm obviously > > doing something wrong. > > > > Here's my pam.d/sudo. I removed password settings and required the > > pam_ssh_agent_auth library. > > > > --- > > #auth ? ? ? ? ? include ? ? ? ? system > > auth ? ? ? ? ? ?required ? ? ? ?/usr/local/lib/pam_ssh_agent_auth.so file=~/.ssh/authorized\ > > _keys > > > > # account > > account ? ? ? ? include ? ? ? ? system > > > > # session > > # XXX: pam_lastlog (used in system) causes users to appear as though > > # they are no longer logged in in system logs. > > session ? ? ? ? required ? ? ? ?pam_permit.so > > > > # password > > #password ? ? ? include ? ? ? ? system > > --- > > > > Any suggestions what I'm doing wrong? > > > > Thanks, > > ==ml > > > > -- > > Michael W. Lucas > > http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ > > Latest book: Network Flow Analysis http://www.networkflowanalysis.com/ > > mwlucas@BlackHelicopters.org, Twitter @mwlauthor > > Make sure your sudoers file has > > Defaults env_keep += "SSH_AUTH_SOCK" > > Also, make sure your matching rule for your user doesn't have NOPASSWD > set. It seems that since you've already authenticated to the system, > sudo still knows the user and/or group credentials without the pam > module's help - all it does is authenticate the public and private > keys. If you have NOPASSWD, sudo doesn't even think it needs to refer > to the authentication mechanism because according to sudoers it needs > no password for the user issuing the request. Hi, Thanks for answering! Turns out my problem was that sudo caches the last time the user authenticated. For future reference, I blogged how to set this up at http://blather.michaelwlucas.com/archives/1106 ==ml -- Michael W. Lucas http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Latest book: Network Flow Analysis http://www.networkflowanalysis.com/ mwlucas@BlackHelicopters.org, Twitter @mwlauthor