[sudo-users] Make sudo -S work with ssh -T
Grant Taylor
gtaylor at tnetconsulting.net
Sun Jun 26 09:50:47 MDT 2022
On 6/25/22 11:28 PM, Glen Huang wrote:
> No, I didn’t. Thanks for the heads up.
:-)
You can't consider ~> evaluate something if you aren't aware of it.
> However, I’m not sure I follow. If I’m not wrong, SSH agent
> forwarding is for logging into remote server B from remote server
> A without A having the credentials itself.
Close.
Credentials *are* used. It's just that the credentials that are used
are public key credentials, /not/ username & password.
> How could that apply to sudo?
Other things can take advantage of the same public key authentication.
> Do you mean using a pam module like pam_ssh_agent_auth to authenticate
> the sudo user passwordlessly?
Yes.
The pam_ssh_agent_auth is just another PAM module that can authenticate
someone using the SSH public keys. Keys that are accessible via SSH
agent forwarding.
> I’m not familiar with this approach, but it seems to rely on
> ssh-agent running locally and reading a local authorized_keys
> file. I’m not sure if forwarding is relevant here?
It does use an SSH agent, but it's running on the client. The client's
SSH agent is accessible via SSH agent forwarding.
Remember that SSH agent forwarding works by creating a socket (think
ghost SSH agent) on the remote / target server that is forwarded back
through the SSH connection to the real ssh SSH agent running on the
client. So there is actually no need for private keying material on the
remote / target server.
> I guess I probably have misunderstood. Could you share some tips on
> how that could be done?
Sure. Sudo queries the pam_ssh_agent_auth module which talks to the
user's ghost SSH agent which forwards the query through the SSH
connection back to the client where the real SSH agent answers the
query. Responses follow the reverse path.
Ultimately, sudo *does* get authenticated via the pam_ssh_agent_auth
through the SSH agent forwarding. Thus users are non-interactively
authenticated to sudo.
In my experience this works great in scripts.
I'm running out the door to pick someone up from the airport. So please
forgive the brevity. Please reply with any questions and I'll expound
as necessary after getting back.
--
Grant. . . .
unix || die
More information about the sudo-users
mailing list