Chapter 8. Authenticating to sudo remotely using smart cards
This section describes how to authenticate to sudo remotely using smart cards. After the ssh-agent
service is running locally and can forward the ssh-agent
socket to a remote machine, you can use the SSH authentication protocol in the sudo PAM module to authenticate users remotely.
After logging in locally using a smart card, you can log in through SSH to the remote machine and run the sudo
command without being prompted for a password by using SSH forwarding of the smart card authentication.
For the purposes of this example, a client is connecting to the IPA server through SSH and running the sudo command on the IPA server with credentials stored on a smart card.
8.1. Creating sudo rules in IdM
Follow this procedure to create sudo rules in IdM to give ipauser1
permission to run sudo on the remote host.
For the purposes of this example, the less
and whoami
commands are added as sudo commands to test the procedure.
Prerequisites
-
The IdM user has been created. For the purpose of this example, the user is
ipauser1
. -
You have the hostname of the system where you are running sudo remotely. For the purpose of this example, the host is
server.ipa.test
.
Procedure
Create a
sudo
rule namedadminrule
to allow a user to run commands.ipa sudorule-add adminrule
Add
less
andwhoami
assudo
commands:ipa sudocmd-add /usr/bin/less ipa sudocmd-add /usr/bin/whoami
Add the
less
andwhoami
commands to theadminrule
:ipa sudorule-add-allow-command adminrule --sudocmds /usr/bin/less ipa sudorule-add-allow-command adminrule --sudocmds /usr/bin/whoami
Add the
ipauser1
user to theadminrule
:ipa sudorule-add-user adminrule --users ipauser1
Add the host on which you are running
sudo
to theadminrule
:ipa sudorule-add-host adminrule --hosts server.ipa.test
Additional resources
-
See
ipa sudorule-add --help
. -
See
ipa sudocmd-add --help
.
8.2. Setting up the PAM module for sudo
Follow this procedure to install and set up the pam_ssh_agent_auth.so
PAM module for sudo authentication with a smart card on any host where you are running sudo.
Procedure
Install the PAM SSH agent:
dnf -y install pam_ssh_agent_auth
Add the
authorized_keys_command
forpam_ssh_agent_auth.so
to the/etc/pam.d/sudo
file before any otherauth
entry:#%PAM-1.0 auth sufficient pam_ssh_agent_auth.so authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys auth include system-auth account include system-auth password include system-auth session include system-auth
To enable the SSH agent forwarding to work when you run sudo commands, add the following to the
/etc/sudoers
file:Defaults env_keep += "SSH_AUTH_SOCK"
This allows users who have their public keys from smart cards stored in IPA/SSSD to authenticate to sudo without entering a password.
Restart the
sssd
service:systemctl restart sssd
Additional resources
-
See the
pam
man page.
8.3. Connecting to sudo remotely using a smart card
Follow this procedure to configure the SSH agent and client to connect to sudo
remotely using a smart card.
Prerequisites
-
You have created
sudo
rules in IdM. -
You have installed and set up the
pam_ssh_agent_auth
PAM module forsudo
authentication on the remote system where you are going to runsudo
.
Procedure
Start the SSH agent (if not already running).
eval `ssh-agent`
Add your smart card to the SSH agent. Enter your PIN when prompted:
ssh-add -s /usr/lib64/opensc-pkcs11.so
Connect to the system where you need to run
sudo
remotely by using SSH with ssh-agent forwarding enabled. Use the-A
option:ssh -A ipauser1@server.ipa.test
Verification
Run the
whoami
command withsudo
:sudo /usr/bin/whoami
You are not prompted for a PIN or password when the smart card is inserted.
If the SSH agent is configured to use other sources, such as the GNOME Keyring, and you run the sudo
command after removing the smart card, you might not be prompted for a PIN or password, as one of the other sources might provide access to a valid private key. To check the public keys of all identities known by the SSH agent, run the ssh-add -L
command.