Using OpenPGP / GnuPG to unlock 'sudo bla bla' or 'sudo -s'

Andrew Gallagher andrewg at andrewg.com
Wed Aug 14 16:27:54 CEST 2024 

On 14 Aug 2024, at 10:29, Matthias Apitz <guru at unixarea.de> wrote:
> 
> The above page gives as an example entry in the file /etc/pam.d/sudo the
> following line:
> 
> "auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys"
> 
> perhaps to be inserted without the apostrophes.
> 
> The actual file is:
> 
> purism at pureos:~$ cat /etc/pam.d/sudo
> #%PAM-1.0
> 
> @include common-auth
> @include common-account
> @include common-session-noninteractive
> 
> Must the new line placed below or above the @include lines?

I recommend neither, actually :-) I use the configuration script below. It expects either APT or YUM to be defined, but you can delete the sections as appropriate for your distro. Editing PAM configuration files by hand is generally not a good idea on modern systems, as they tend to have PAM management toolchains that sit above the raw files, e.g. pam-auth-update for Debian/Ubuntu.

I strongly recommend using `/etc/security/authorized_keys/%u`, which should be owned by root. This prevents a privilege escalation vulnerability where an attacker replaces the user-owned `~/.ssh/authorized_keys` file with one of their own.

```
# Install and configure libpam-ssh-agent-auth

if [[ $APT ]]; then

  apt-get -y install libpam-ssh-agent-auth
  cat > /usr/share/pam-configs/pam-ssh-agent-auth <<EOF
Name: SSH agent authentication
Default: yes
Priority: 258
Auth-Type: Primary
Auth: [success=end default=ignore] pam_ssh_agent_auth.so file=/etc/security/authorized_keys/%u
Auth-Initial: [success=end default=ignore] pam_ssh_agent_auth.so file=/etc/security/authorized_keys/%u
EOF

  pam-auth-update --force

elif [[ $YUM ]]; then

  yum -y --setopt=skip_missing_names_on_install=False install pam_ssh_agent_auth
  if ! grep -q pam_ssh_agent_auth.so /etc/pam.d/system-auth; then
    cat <<EOF >/etc/pam.d/system-auth-ssh-agent
auth sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys/%u
auth include system-auth-ac
account include system-auth-ac
password include system-auth-ac
session include system-auth-ac
EOF
    ln -sf system-auth-ssh-agent /etc/pam.d/system-auth
  fi

fi

cat > /etc/sudoers.d/pam-ssh-agent-auth <<EOF
# Older versions of sudo need this to access user ssh-agent
Defaults env_keep += "SSH_AUTH_SOCK"
EOF
```

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240814/0667c5fa/attachment.sig>

More information about the Gnupg-users mailing list