Forum Replies Created
Thank you for the reply.
I modified /etc/pam.d/sudo as you suggested:
auth sufficient pam_ssh_agent_auth.so file=/usr/bin/sss_ssh_authorizedkeys debug
That does stop attempt to use /etc/security/authorized_keys, however sudo does still prompt for a password within a NoMachine session.
Also, with that configuration, auth forwarding for sudo outside of a NoMachine session no longer works. So apparently the authorized_keys_command specification does need to be there.nolebrinkParticipant
I enabled debug for /etc/pam.d/sudo:
auth sufficient pam_ssh_agent_auth.so authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys debug
auth sufficient pam_sss.so
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
session required pam_tty_audit.so enable=*
Here are the /var/log/secure entries when I attempt sudo from within a NoMachine session:
Feb 15 14:04:43 lx2-tbw4 sudo: Beginning pam_ssh_agent_auth for user <user>
Feb 15 14:04:43 lx2-tbw4 sudo: Using default file=/etc/security/authorized_keys
Feb 15 14:04:43 lx2-tbw4 sudo: Attempting authentication: <user> as <user> using /etc/security/authorized_keys
Feb 15 14:04:43 lx2-tbw4 sudo: No ssh-agent could be contacted
Feb 15 14:04:43 lx2-tbw4 sudo: Failed Authentication: <user> as <user> using /etc/security/authorized_keys
So, even though the pam_ssh_agent_auth entry in /etc/pam.d/sudo specifies an authorized_keys_command, it is still attempting to use the default file /etc/security/authorized_keys, which doesn’t exist. But, this is only occurring within a NoMachine session – it works external to NoMachine.