SUDO using SSH Keys

*Warning: I offer no guarantees this will work for you, and mis-configuration could end up with no access to your system*

It’s really annoying if you’ve connected SSH using keys that you’re prompted for a password when trying to use sudo. Particularly when using scripts. You can certainly use the NOPASS option in sudoers, but for various reasons may not want to.

I’ve gone for the option of (if SSH Key then allow sudo, if not prompt for password) something you couldn’t do with the NOPASS option.

First installĀ libpam-ssh-agent-auth

apt-get install libpam-ssh-agent-auth

Then edit /etc/pam.d/sudo adding the following above the first sessions line:

auth [success=3 default=ignore] pam_ssh_agent_auth.so file=/etc/ssh/sudo_authorized_keys

Next edit /etc/sudoers and add above the existing Defaults:

Defaults env_keep += "SSH_AUTH_SOCK"

Finally edit /etc/ssh/sudo_authorized_keys and add your key.
It’s recommended you set the permission on this file to root only.

Now without closing your current connection, test the setup with a new ssh session. You should be able to connect and sudo without a password.
If you have password authentication enabled for connection normally, test this is still working, and when you use sudo you should be prompt again for the password.

This is working for me on Ubuntu, but as the warning above incorrect configuration may result in locking yourself out.

Leave a Reply

Your email address will not be published.