Chapter 8. Authenticating to sudo remotely using smart cards

This section describes how to authenticate to sudo remotely using smart cards. After the ssh-agent service is running locally and can forward the ssh-agent socket to a remote machine, you can use the SSH authentication protocol in the sudo PAM module to authenticate users remotely.

After logging in locally using a smart card, you can log in through SSH to the remote machine and run the sudo command without being prompted for a password by using SSH forwarding of the smart card authentication.

For the purposes of this example, a client is connecting to the IPA server through SSH and running the sudo command on the IPA server with credentials stored on a smart card.

8.1. Creating sudo rules in IdM

This procedure describes how to create sudo rules in IdM in order to give ipauser1 permission to run sudo on the remote host.

For the purposes of this example, the less and whoami commands are added as sudo commands to test the procedure.

Prerequisites

  • The IdM user has been created. For the purpose of this example, the user is ipauser1.
  • You have the hostname of the system where you are running sudo remotely. For the purpose of this example, the host is server.ipa.test.

Procedure

  1. Create a sudo rule named adminrule to allow a user to run commands. 

    ipa sudorule-add adminrule

  2. Add less and whoami as sudo commands: 

    ipa sudocmd-add /usr/bin/less
ipa sudocmd-add /usr/bin/whoami

  3. Add the less and whoami commands to the adminrule: 

    ipa sudorule-add-allow-command adminrule --sudocmds /usr/bin/less
ipa sudorule-add-allow-command adminrule --sudocmds /usr/bin/whoami

  4. Add the ipauser1 user to the adminrule: 

    ipa sudorule-add-user adminrule --users ipauser1

  5. Add the host on which you are running sudo to the adminrule: 

    ipa sudorule-add-host adminrule --hosts server.ipa.test

Additional resources

  • See ipa sudorule-add --help.
  • See ipa sudocmd-add --help.

8.2. Setting up the PAM module for sudo

This procedure describes how to install and set up the pam_ssh_agent_auth.so PAM module for sudo authentication with a smart card on any host where you are running sudo.

Procedure

  1. Install the PAM SSH agent: 

    dnf -y install pam_ssh_agent_auth

  2. Add the authorized_keys_command for pam_ssh_agent_auth.so to the /etc/pam.d/sudo file before any other auth entry: 

    #%PAM-1.0
auth sufficient pam_ssh_agent_auth.so authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth

  3. To enable the SSH agent forwarding to work when you run sudo commands, add the following to the /etc/sudoers file: 

    Defaults env_keep += "SSH_AUTH_SOCK"

    This allows users who have their public keys from smart cards stored in IPA/SSSD to authenticate to sudo without entering a password.

  4. Restart the sssd service: 

    systemctl restart sssd

Additional resources

  • See the pam man page.

8.3. Connecting to sudo remotely using a smart card

This procedure describes how to configure the SSH agent and client in order to connect to sudo remotely using a smart card.

Prerequisites

  • You have created sudo rules in IdM.
  • You have installed and set up the pam_ssh_agent_auth PAM module for sudo authentication on the remote system where you are going to run sudo.

Procedure

  1. Start the SSH agent (if not already running). 

    eval `ssh-agent`

  2. Add your smart card to the SSH agent. Enter your PIN when prompted: 

    ssh-add -s /usr/lib64/opensc-pkcs11.so

  3. Connect via SSH with ssh-agent forwarding enabled (using the -A option) to the system where you are going to run sudo remotely: 

    ssh -A ipauser1@server.ipa.test

Verification steps

  • Run the whoami command with sudo: 

    sudo /usr/bin/whoami

You should not be prompted for a PIN or password.