Date: Thu, 8 Dec 2011 11:45:33 -0500 From: "Michael W. Lucas" <mwlucas@blackhelicopters.org> To: questions@freebsd.org Subject: PAM confusion Message-ID: <20111208164533.GA67774@bewilderbeast.blackhelicopters.org>
next in thread | raw e-mail | index | archive | help
Hi, I'm attempting to hook security/pam_ssh_agent_auth into sudo, and have learned that PAM doesn't work the way I thought it did. I'm running FreeBSD-9/i386, with sudo 1.7.2.6. My goal is that sudo pass all auth requests back to the users' SSH agent. Sudo should never use passwords for authentication. If the user doesn't have an SSH agent, or if the SSH agent breaks somehow, the sudo request is denied. With my current config, sudo requests are accepted without a password even if the users' environment has no $SSH_AUTH_SOCK. I'm obviously doing something wrong. Here's my pam.d/sudo. I removed password settings and required the pam_ssh_agent_auth library. --- #auth include system auth required /usr/local/lib/pam_ssh_agent_auth.so file=~/.ssh/authorized\ _keys # account account include system # session # XXX: pam_lastlog (used in system) causes users to appear as though # they are no longer logged in in system logs. session required pam_permit.so # password #password include system --- Any suggestions what I'm doing wrong? Thanks, ==ml -- Michael W. Lucas http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Latest book: Network Flow Analysis http://www.networkflowanalysis.com/ mwlucas@BlackHelicopters.org, Twitter @mwlauthor
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111208164533.GA67774>