Using OpenPGP / GnuPG to unlock 'sudo bla bla' or 'sudo -s'
Andrew Gallagher
andrewg at andrewg.com
Wed Aug 14 16:27:54 CEST 2024
On 14 Aug 2024, at 10:29, Matthias Apitz <guru at unixarea.de> wrote:
>
> The above page gives as an example entry in the file /etc/pam.d/sudo the
> following line:
>
> "auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys"
>
> perhaps to be inserted without the apostrophes.
>
> The actual file is:
>
> purism at pureos:~$ cat /etc/pam.d/sudo
> #%PAM-1.0
>
> @include common-auth
> @include common-account
> @include common-session-noninteractive
>
> Must the new line placed below or above the @include lines?
I recommend neither, actually :-) I use the configuration script below. It expects either APT or YUM to be defined, but you can delete the sections as appropriate for your distro. Editing PAM configuration files by hand is generally not a good idea on modern systems, as they tend to have PAM management toolchains that sit above the raw files, e.g. pam-auth-update for Debian/Ubuntu.
I strongly recommend using `/etc/security/authorized_keys/%u`, which should be owned by root. This prevents a privilege escalation vulnerability where an attacker replaces the user-owned `~/.ssh/authorized_keys` file with one of their own.
```
# Install and configure libpam-ssh-agent-auth
if [[ $APT ]]; then
apt-get -y install libpam-ssh-agent-auth
cat > /usr/share/pam-configs/pam-ssh-agent-auth <<EOF
Name: SSH agent authentication
Default: yes
Priority: 258
Auth-Type: Primary
Auth: [success=end default=ignore] pam_ssh_agent_auth.so file=/etc/security/authorized_keys/%u
Auth-Initial: [success=end default=ignore] pam_ssh_agent_auth.so file=/etc/security/authorized_keys/%u
EOF
pam-auth-update --force
elif [[ $YUM ]]; then
yum -y --setopt=skip_missing_names_on_install=False install pam_ssh_agent_auth
if ! grep -q pam_ssh_agent_auth.so /etc/pam.d/system-auth; then
cat <<EOF >/etc/pam.d/system-auth-ssh-agent
auth sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys/%u
auth include system-auth-ac
account include system-auth-ac
password include system-auth-ac
session include system-auth-ac
EOF
ln -sf system-auth-ssh-agent /etc/pam.d/system-auth
fi
fi
cat > /etc/sudoers.d/pam-ssh-agent-auth <<EOF
# Older versions of sudo need this to access user ssh-agent
Defaults env_keep += "SSH_AUTH_SOCK"
EOF
```
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240814/0667c5fa/attachment.sig>
More information about the Gnupg-users
mailing list