On 14 Aug 2024, at 10:29, Matthias Apitz <g...@unixarea.de> wrote: > > The above page gives as an example entry in the file /etc/pam.d/sudo the > following line: > > "auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys" > > perhaps to be inserted without the apostrophes. > > The actual file is: > > purism@pureos:~$ cat /etc/pam.d/sudo > #%PAM-1.0 > > @include common-auth > @include common-account > @include common-session-noninteractive > > Must the new line placed below or above the @include lines?
I recommend neither, actually :-) I use the configuration script below. It
expects either APT or YUM to be defined, but you can delete the sections as
appropriate for your distro. Editing PAM configuration files by hand is
generally not a good idea on modern systems, as they tend to have PAM
management toolchains that sit above the raw files, e.g. pam-auth-update for
Debian/Ubuntu.
I strongly recommend using `/etc/security/authorized_keys/%u`, which should be
owned by root. This prevents a privilege escalation vulnerability where an
attacker replaces the user-owned `~/.ssh/authorized_keys` file with one of
their own.
```
# Install and configure libpam-ssh-agent-auth
if [[ $APT ]]; then
apt-get -y install libpam-ssh-agent-auth
cat > /usr/share/pam-configs/pam-ssh-agent-auth <<EOF
Name: SSH agent authentication
Default: yes
Priority: 258
Auth-Type: Primary
Auth: [success=end default=ignore] pam_ssh_agent_auth.so
file=/etc/security/authorized_keys/%u
Auth-Initial: [success=end default=ignore] pam_ssh_agent_auth.so
file=/etc/security/authorized_keys/%u
EOF
pam-auth-update --force
elif [[ $YUM ]]; then
yum -y --setopt=skip_missing_names_on_install=False install pam_ssh_agent_auth
if ! grep -q pam_ssh_agent_auth.so /etc/pam.d/system-auth; then
cat <<EOF >/etc/pam.d/system-auth-ssh-agent
auth sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys/%u
auth include system-auth-ac
account include system-auth-ac
password include system-auth-ac
session include system-auth-ac
EOF
ln -sf system-auth-ssh-agent /etc/pam.d/system-auth
fi
fi
cat > /etc/sudoers.d/pam-ssh-agent-auth <<EOF
# Older versions of sudo need this to access user ssh-agent
Defaults env_keep += "SSH_AUTH_SOCK"
EOF
```
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
