Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 8. Authenticating to sudo remotely using smart cards

You can authenticate to sudo remotely using smart cards. After the ssh-agent service is running locally and can forward the ssh-agent socket to a remote machine, you can use the SSH authentication protocol in the sudo PAM module to authenticate users remotely.

After logging in locally using a smart card, you can log in through SSH to the remote machine and run the sudo command without being prompted for a password by using SSH forwarding of the smart card authentication.

For the purposes of this example, a client is connecting to the IPA server through SSH and running the sudo command on the IPA server with credentials stored on a smart card.

8.1. Creating sudo rules in IdM
Copia collegamento

Follow this procedure to create sudo rules in IdM to give <idm_user> permission to run sudo on the remote host.

For the purposes of this example, the less and whoami commands are added as sudo commands to test the procedure.

Prerequisites

  • The IdM user has been created. For the purpose of this example, the user is <idm_user>.
  • You have the hostname of the system where you are running sudo remotely. For the purpose of this example, the host is server.ipa.test.

Procedure

  1. Create a sudo rule named <sudorule_name> to allow a user to run commands. Replace <sudorule_name> with the actual name of the sudo rule you want to create. 

    # ipa sudorule-add <sudorule_name>
    Copy to Clipboard Toggle word wrap

  2. Add less and whoami as sudo commands: 

    # ipa sudocmd-add /usr/bin/less
# ipa sudocmd-add /usr/bin/whoami
    Copy to Clipboard Toggle word wrap

  3. Add the less and whoami commands to the <sudorule_name>: 

    # ipa sudorule-add-allow-command <sudorule_name> --sudocmds /usr/bin/less
# ipa sudorule-add-allow-command <sudorule_name> --sudocmds /usr/bin/whoami
    Copy to Clipboard Toggle word wrap

  4. Add the <idm_user> user to the <sudorule_name>: 

    # ipa sudorule-add-user <sudorule_name> --users <idm_user>
    Copy to Clipboard Toggle word wrap

  5. Add the host on which you are running sudo to the <sudorule_name>: 

    # ipa sudorule-add-host <sudorule_name> --hosts server.ipa.test
    Copy to Clipboard Toggle word wrap

8.2. Setting up the PAM module for sudo
Copia collegamento

Follow this procedure to install and set up the pam_ssh_agent_auth.so PAM module for sudo authentication with a smart card on any host where you are running sudo.

Procedure

  1. Install the PAM SSH agent: 

    # dnf -y install pam_ssh_agent_auth
    Copy to Clipboard Toggle word wrap

  2. Add the authorized_keys_command for pam_ssh_agent_auth.so to the /etc/pam.d/sudo file before any other auth entry: 

    #%PAM-1.0
auth sufficient pam_ssh_agent_auth.so authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth
    Copy to Clipboard Toggle word wrap

  3. To enable the SSH agent forwarding to work when you run sudo commands, add the following to the /etc/sudoers file: 

    Defaults env_keep += "SSH_AUTH_SOCK"
    Copy to Clipboard Toggle word wrap

    This allows users who have their public keys from smart cards stored in IPA/SSSD to authenticate to sudo without entering a password.

  4. Restart the sssd service: 

    # systemctl restart sssd
    Copy to Clipboard Toggle word wrap

8.3. Connecting to sudo remotely using a smart card
Copia collegamento

Follow this procedure to configure the SSH agent and client to connect to sudo remotely using a smart card.

Prerequisites

  • You have created sudo rules in IdM.
  • You have installed and set up the pam_ssh_agent_auth PAM module for sudo authentication on the remote system where you are going to run sudo.

Procedure

  1. Start the SSH agent (if not already running). 

    # eval `ssh-agent`
    Copy to Clipboard Toggle word wrap

  2. Add your smart card to the SSH agent. Enter your PIN when prompted: 

    # ssh-add -s /usr/lib64/opensc-pkcs11.so
    Copy to Clipboard Toggle word wrap

  3. Connect to the system where you need to run sudo remotely by using SSH with ssh-agent forwarding enabled. Use the -A option: 

    # ssh -A ipauser1@server.ipa.test
    Copy to Clipboard Toggle word wrap

Verification

  • Run the whoami command with sudo: 

    # sudo /usr/bin/whoami
    Copy to Clipboard Toggle word wrap

You are not prompted for a PIN or password when the smart card is inserted.

Note

If the SSH agent is configured to use other sources, such as the GNOME Keyring, and you run the sudo command after removing the smart card, you might not be prompted for a PIN or password, as one of the other sources might provide access to a valid private key. To check the public keys of all identities known by the SSH agent, run the ssh-add -L command.

Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2026 Red HatTorna in cima