Hi there,
I have been using a lot of virtual private servers (vps) lately, for services that have to be reachable all the time and systems I don’t want to have at home but still accessible from the internet.
The big problem with this is, that the SSH service is usually exposed to the internet.
So securing it is mandatory. Which means, no password authentication, no root SSH login, very complex passwords and so on. Now, the “very complex password” part get a bit annoying. I am using something between 32-64 character long passwords, which I cannot memorize, for obvious reasons. But I need this password for commands that need elevated privileges, aka. sudo.
A few days ago, I thought. Is it not possible to use the private key, I use to log into the server, to authenticate sudo.
Apparently it is.
We will be using the pam_ssh_agent_auth package, which allows us to use PAM (Pluggable Authentication Modules) to replace the password prompt with SSH key verification.
I am using Alma Linux 9 for my example but it works Debian 12 as well. I tested it.
Let’s begin.
A few warnings.
Make sure you have an active root session while testing the sudo authentication. If something goes wrong, you could lockout yourself. With the active session, you can still revert the changes.
Using agent forwarding is a potential security risk. When the remote-server is compromised, the attacker could use the SSH SOCKET to do more harm.
Sudo Authentication using SSH Key
The Server configuration
## Install the required package.
# First the epel-release repo.
$ sudo dnf install epel-release -y
# Then the actual package.
$ sudo dnf install pam_ssh_agent_auth -y
# For Debian.
$ sudo apt update ; sudo apt install libpam-ssh-agent-auth -y
# Add a new line to the top of the /etc/pam.d/sudo file.
$ sudo vim /etc/pam.d/sudo
auth sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys_sudo
...
# It probably looks something like this.
auth sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys_sudo
auth include system-auth
account include system-auth
session include system-auth
# Create a new file "ssh-agent-auth" under /etc/sudoers.d with the following line.
$ sudo vim /etc/sudoers.d/ssh-agent-auth
Defaults env_keep += "SSH_AUTH_SOCK"
# Copy your corresponding public key from your "$HOME/.ssh/authorized_keys" file to "/etc/security/authorized_keys_sudo"
# If there is only one public key in there, you can use this command.
$ sudo cp /home/<username>/.ssh/authorized_keys /etc/security/authorized_keys_sudo
# Make sure the file has the correct permissions.
$ sudo chmod 600 /etc/security/authorized_keys_sudo
# And because we use a Red Hat based distro, we have to make sure the selinux flags are correct.
$ sudo restorecon -v /etc/security/authorized_keys_sudo
Testing the setup
Alright. We are done with the preparations. Let’s test it.
For this to work, we have to enable agent forwarding when using SSH. This allows the server to access the keys on your local machine.
# Start the SSH session using agent forwarding.
$ ssh -A <remote-server>
# Test the sudo authentication
$ sudo -s
If everything worked, you shouldn’t have to input your password. If not, check the logs using journalctl. It should tell you what has gone wrong.
That is pretty much it.
(Optional) ssh config
If we want to streamline the SSH login a bit more, we can use the ~/.ssh/config file to set shortcuts.
For example.
# Create the config file and add the following. Replace the hostname and username with your setup.
$ vim ~/.ssh/config
Host vps-01
hostname <ip-address or hostname>
user admin
IdentityFile ~/.ssh/admin
ForwardAgent yes
Now you can just type the following to start a SSH session.
$ ssh vps-01
That’s it.
I will probably try to make this work with a Yubikey for the next post.
Till then.
Comments