Re: ssh forward agent

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03/06/2025 13:15, Francis.Montagnac@xxxxxxxx wrote:

Hi.

On Mon, 02 Jun 2025 22:45:48 +0700 Frederic Muller wrote:

On 02/06/2025 21:45, Francis.Montagnac@xxxxxxxx wrote:

AFAIK sudo cannot be configured to authenticate with SSH keys.

of course it can.

Effectively, a search shows that this is possible by configuring sudo
with pam_ssh_agent_auth (on the server, the target machine).


It worked fine until... I switched to F42. SSH forward to ssh key to
the target machine and my user uses that key on the target machine
to authenticate and login into sudo.
The target machine hasn't changed at all. My laptop however has.

F42 removed pam_ssh_agent_auth:
   https://fedoraproject.org/wiki/Changes/Remove_pam-ssh-agent_component
but that should not be the reason.

I would suspect a change in ssh-agent, but looking quickly at the
changelog of openssh (F41: 9.8 F42: 9.9) do not show anything related.


Well.. I'll do another way for now and will continue trying to fix this
and set it up like it was working before,

Putting pam_ssh_agent_auth in debug mode on the target machine may
help, with:

/etc/pam.d/sudo:
    auth sufficient pam_ssh_agent_auth.so debug ...
Thank you for all your research. So answer several posts in one message and explaining more: 

I did install F40 in a virtual machine and... it didn't work too.
I am actually SSH'ing from Fedora 42 to a VPS running Ubuntu 20.04. pam has been configured long time ago (probably in May 2020) and use to work fine until... now. So I thought it was coming from my Fedora update from 40 to 42 but apparently not.
I will follow your indications (@Francis) and try to figure out why this is no longer working. 

Thank you and more at the next episode. :-)

Fred

--
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux