Using Yubikey for sudo over SSH session
I currently use Kryptonite to handle protecting the private key I use to SSH into hosts. This works well, except when I need to escalate to root.
When I sudo
I have to go copy a randomly generated 20-character string out of my password manager, check that I'm really at the password prompt, and paste it to get my command running.
I'd much rather use my Yubikey to authenticate sudo
. I can find 101 guides on how to do this when sudo
ing on on local hosts with the Yubikey plugged into my local hosts, but how can I do this when I want to sudo
on a remote host over SSH with the key plugged into my local machine?
Both local and remote hosts are running recent Linux/GNU distros, specifically RHEL/Fedora if it makes a difference.
There is pam_ssh_agent_auth
, which does exactly what you need. This package is available for both Fedora and RHEL so the process of setting up and installing is very straight-forward:
yum install pam_ssh_agent_auth
Add to your /etc/sudoers
:
Defaults env_keep += \"SSH_AUTH_SOCK\"
Put your ssh-public key to /etc/security/authorized_keys
(get it from yubikey for example using ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so
)
Add a line to the start of /etc/pam.d/sudo
:
auth sufficient pam_ssh_agent_auth.so
Then you just add the pkcs11 library to your ssh-agent
and you can run sudo
without password (authenticating using key on the token):
ssh-add -s /usr/lib64/pkcs11/opensc-pkcs11.so
sudo -i
This process is also described in the manual page for pam_ssh_agent_auth
.
Note that the keys on the yubikey needs to be generated before, but this is described in the Yubico documentation already.