13

I currently use Kryptonite to handle protecting the private key I use to SSH into hosts. This works well, except when I need to escalate to root.

When I sudo I have to go copy a randomly generated 20-character string out of my password manager, check that I'm really at the password prompt, and paste it to get my command running.

I'd much rather use my Yubikey to authenticate sudo. I can find 101 guides on how to do this when sudoing on on local hosts with the Yubikey plugged into my local hosts, but how can I do this when I want to sudo on a remote host over SSH with the key plugged into my local machine?

Both local and remote hosts are running recent Linux/GNU distros, specifically RHEL/Fedora if it makes a difference.

vvvvv
  • 175
  • 8
thomasfedb
  • 415
  • 5
  • 14
  • AFAIK a Yubikey still acts as a keyboard and simply pressing the button will "type" the one-time password wherever you point your mouse cursor at, that also works in a terminal window over SSH to the sudo password prompt from a remote server... – HBruijn May 02 '17 at 14:30
  • Kryptonite looks awesome, but did you know you can use gpg for authenticating over ssh and then store that key on your yubikey? https://developers.yubico.com/PGP/SSH_authentication/ – andsens Feb 28 '18 at 13:50

1 Answers1

7

There is pam_ssh_agent_auth, which does exactly what you need. This package is available for both Fedora and RHEL so the process of setting up and installing is very straight-forward:

yum install pam_ssh_agent_auth

Add to your /etc/sudoers:

Defaults    env_keep += \"SSH_AUTH_SOCK\"

Put your ssh-public key to /etc/security/authorized_keys (get it from yubikey for example using ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so)

Add a line to the start of /etc/pam.d/sudo:

auth       sufficient   pam_ssh_agent_auth.so

Then you just add the pkcs11 library to your ssh-agent and you can run sudo without password (authenticating using key on the token):

ssh-add -s /usr/lib64/pkcs11/opensc-pkcs11.so
sudo -i

This process is also described in the manual page for pam_ssh_agent_auth.

Note that the keys on the yubikey needs to be generated before, but this is described in the Yubico documentation already.

Jakuje
  • 9,145
  • 2
  • 40
  • 44
  • For those looking to do this with id_ecdsa_sk keys (using FIDO): pam_ssh_agent_auth does not support this variety of key. In addition, as of today the last commit was almost a year ago, and thus it is probably safe to consider it unmaintained. Here is the relevant issue so you can check for sure: https://github.com/jbeverly/pam_ssh_agent_auth/issues/23 – Dessa Simpson May 27 '20 at 19:41
  • @DuncanXSimpson If you use pam_ssh_agent_auth on Fedora 32, it should support also FIDO keys as it is built against the parts of OpenSSH supporting this. But I did not test this explicitly yet. – Jakuje May 28 '20 at 09:12
  • I built it on Arch Linux and it doesn't work for me. – Dessa Simpson Jun 10 '20 at 16:02