nolebrink

Forum Replies Created

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • in reply to: Forward authentication not working for sudo #37633
    nolebrink
    Participant

    Thank you for the reply.

    I modified /etc/pam.d/sudo as you suggested:

    auth    sufficient   pam_ssh_agent_auth.so file=/usr/bin/sss_ssh_authorizedkeys debug

    That does stop attempt to use /etc/security/authorized_keys, however sudo does still prompt for a password within a NoMachine session.

    Also, with that configuration, auth forwarding for sudo outside of a NoMachine session no longer works.  So apparently the authorized_keys_command specification does need to be there.

    in reply to: Forward authentication not working for sudo #37539
    nolebrink
    Participant

    I enabled debug for /etc/pam.d/sudo:

    auth    sufficient   pam_ssh_agent_auth.so authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys debug

    auth    sufficient   pam_sss.so

    auth       include      system-auth

    account    include      system-auth

    password   include      system-auth

    session    optional     pam_keyinit.so revoke

    session    required     pam_limits.so

    session    required     pam_tty_audit.so enable=*

    Here are the /var/log/secure entries when I attempt sudo from within a NoMachine session:

    Feb 15 14:04:43 lx2-tbw4 sudo[22348]: Beginning pam_ssh_agent_auth for user <user>

    Feb 15 14:04:43 lx2-tbw4 sudo[22348]: Using default file=/etc/security/authorized_keys

    Feb 15 14:04:43 lx2-tbw4 sudo[22348]: Attempting authentication: <user> as <user> using /etc/security/authorized_keys

    Feb 15 14:04:43 lx2-tbw4 sudo[22348]: No ssh-agent could be contacted

    Feb 15 14:04:43 lx2-tbw4 sudo[22348]: Failed Authentication: <user> as <user> using /etc/security/authorized_keys

     

    So, even though the pam_ssh_agent_auth entry in /etc/pam.d/sudo specifies an authorized_keys_command, it is still attempting to use the default file /etc/security/authorized_keys, which doesn’t exist.  But, this is only occurring within a NoMachine session – it works external to NoMachine.

Viewing 2 posts - 1 through 2 (of 2 total)