Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 8. Authenticating to sudo remotely using smart cards
You can authenticate to sudo remotely using smart cards. After the ssh-agent service is running locally and can forward the ssh-agent socket to a remote machine, you can use the SSH authentication protocol in the sudo PAM module to authenticate users remotely.
After logging in locally using a smart card, you can log in through SSH to the remote machine and run the sudo command without being prompted for a password by using SSH forwarding of the smart card authentication.
For the purposes of this example, a client is connecting to the IPA server through SSH and running the sudo command on the IPA server with credentials stored on a smart card.
8.1. Creating sudo rules in IdM
Follow this procedure to create sudo rules in IdM to give <idm_user> permission to run sudo on the remote host.
For the purposes of this example, the less and whoami commands are added as sudo commands to test the procedure.
Prerequisites
-
The IdM user has been created. For the purpose of this example, the user is
<idm_user>. -
You have the hostname of the system where you are running
sudoremotely. For the purpose of this example, the host isserver.ipa.test.
Procedure
Create a
sudorule named <sudorule_name> to allow a user to run commands. Replace <sudorule_name> with the actual name of the sudo rule you want to create.ipa sudorule-add <sudorule_name>
# ipa sudorule-add <sudorule_name>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Add
lessandwhoamiassudocommands:ipa sudocmd-add /usr/bin/less ipa sudocmd-add /usr/bin/whoami
# ipa sudocmd-add /usr/bin/less # ipa sudocmd-add /usr/bin/whoamiCopy to Clipboard Copied! Toggle word wrap Toggle overflow Add the
lessandwhoamicommands to the <sudorule_name>:ipa sudorule-add-allow-command <sudorule_name> --sudocmds /usr/bin/less ipa sudorule-add-allow-command <sudorule_name> --sudocmds /usr/bin/whoami
# ipa sudorule-add-allow-command <sudorule_name> --sudocmds /usr/bin/less # ipa sudorule-add-allow-command <sudorule_name> --sudocmds /usr/bin/whoamiCopy to Clipboard Copied! Toggle word wrap Toggle overflow Add the
<idm_user>user to the <sudorule_name>:ipa sudorule-add-user <sudorule_name> --users <idm_user>
# ipa sudorule-add-user <sudorule_name> --users <idm_user>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Add the host on which you are running
sudoto the <sudorule_name>:ipa sudorule-add-host <sudorule_name> --hosts server.ipa.test
# ipa sudorule-add-host <sudorule_name> --hosts server.ipa.testCopy to Clipboard Copied! Toggle word wrap Toggle overflow
8.2. Connecting to sudo remotely using a smart card
Follow this procedure to configure the SSH agent and client to connect to sudo remotely using a smart card.
Prerequisites
-
You have created
sudorules in IdM. - You have configured IdM to support passkey authentication using FIDO2 Yubikeys or PKINIT authentication using smart cards.
-
You have configured the
pam_sss_gssmodule forsudoauthentication on the remote system where you are going to runsudo.
Procedure
Start the SSH agent (if not already running).
eval `ssh-agent`
# eval `ssh-agent`Copy to Clipboard Copied! Toggle word wrap Toggle overflow Add your smart card to the SSH agent. Enter your PIN when prompted:
ssh-add -s /usr/lib64/opensc-pkcs11.so
# ssh-add -s /usr/lib64/opensc-pkcs11.soCopy to Clipboard Copied! Toggle word wrap Toggle overflow Connect to the system where you need to run
sudoremotely by using SSH with ssh-agent forwarding enabled. Use the-Aoption:ssh -A ipauser1@server.ipa.test
# ssh -A ipauser1@server.ipa.testCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Run the
whoamicommand withsudo:sudo /usr/bin/whoami
# sudo /usr/bin/whoamiCopy to Clipboard Copied! Toggle word wrap Toggle overflow
You are not prompted for a PIN or password when the smart card is inserted.
If the SSH agent is configured to use other sources, such as the GNOME Keyring, and you run the sudo command after removing the smart card, you might not be prompted for a PIN or password, as one of the other sources might provide access to a valid private key. To check the public keys of all identities known by the SSH agent, run the ssh-add -L command.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}