Recently stumbled across a post about sudo with keyfile. Wonderful, never enter password for sudo again, how cool is that. After I had some difficulties in the beginning, I want to write down my way here.

Install libpam-ssh-agent-auth

aptitude install libpam-ssh-agent-auth


Add to sudoers via visudo

Defaults env_keep += "SSH_AUTH_SOCK"


Add to /etc/pam.d/sudo

auth sufficient pam_ssh_agent_auth.so file=/etc/ssh/sudo_authorized_keys


Copy authorized keys

cp /home/your_user/.ssh/authorized_keys /etc/ssh/sudo_authorized_keys
chown root:root /etc/ssh/sudo_authorized_keys


Be sure you have added the same identities in your local ssh agent. Test it using

ssh-add -L


It should print the public keys in your agent and at least one of them should match the public key on server in /etc/ssh/sudo_authorized_keys.

If not so, add key with

ssh-add ~/.ssh/your_keyfile


Also don’t forget to enable key forwarding for this server (my last gotcha):
Add

ForwardAgent yes


in ~/.ssh/config for the specified host(s)

Restart ssh afterwards

systemctl restart ssh

Leave a Comment

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert