Skip to content

Instantly share code, notes, and snippets.

@dorzepowski

dorzepowski/ssh_sudo_setup.md

Created April 27, 2023 10:40
Show Gist options
  • Save dorzepowski/e44b304b01810c7314af7bfa28937e50 to your computer and use it in GitHub Desktop.
Save dorzepowski/e44b304b01810c7314af7bfa28937e50 to your computer and use it in GitHub Desktop.
Download ZIP
SSH sudo with TouchID
Raw
ssh_sudo_setup.md

On the Mac

  1. Use the Secretive app to generate new ssh key
  2. Copy the public key to user’s ~/.ssh/authorized_keys on the server
ssh-copy-id -f -i <<path to public key>> <<username>>@<<ip>>

example:

ssh-copy-id -f -i /Users/${USER}/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/kfjakjflka481958917.pub [email protected]
  1. Make sure to have the export SSH_AUTH_SOCK env variable
SSH_AUTH_SOCK=/Users/${USER}/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh
  1. Inside ~/.ssh/config set proper config for host
Host example.domain 
     ForwardAgent yes 
     HostName 191.168.0.30 
     User myRemotUser 
     IdentityFile /Users/<<myMacUser>>/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/kfjakjflka481958917.pub
     IdentityAgent /Users/<<myMacUser>>/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh

Remember:

  • change example.domain to the name you want to use
  • change value of HostName to ip of your server
  • change value of User to user on remote server
  • change value of IdentityFile to the one coppied in previous step
  • change <<myMacUser>> in IdentityAgent to your local username
  1. On the server
  • instal pam for ssh agent
sudo apt install libpam-ssh-agent-auth
  • setup pam to use ssh agent for sudo authorizing
sudo nano /etc/pam.d/sudo

!!! This should go to the beggining of the file(right after the '#%PAM-1.0'), order is imporant here!

# Allow users to use their regular authorized SSH keys for sudo, 
# and allow them to manage the keys themselves. 
auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys allow_user_owned_authorized_keys_file 
 
# # Alternatively, have a single central key file, owned by root. 
# # This is useful if you only want a subset of SSH keys to grant root permissions. 
# auth sufficient pam_ssh_agent_auth.so file=/etc/ssh/sudo_authorized_keys
  • auto copy SSH_AUTH_SOCK from local to ssh session
sudo visudo
Defaults    env_keep += SSH_AUTH_SOCK
  1. Disable ssh with password
sudo nano /etc/ssh/sshd_config

and in the editor set:

ChallengeResponseAuthentication no 
PasswordAuthentication no 
PermitRootLogin no

Closing notes:

IMPORTANT! Make sure that you have proper permissions for folder/file with home directory for .ssh

chmod go-w /home/${USER} 
chmod 700 /home/${USER}/.ssh 
chmod 600 /home/${USER}/.ssh/authorized_keys
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment