I currently use Kryptonite to handle protecting the private key I use to SSH into hosts. This works well, except when I need to escalate to root.
When I sudo I have to go copy a randomly generated 20-character string out of my password manager, check that I'm really at the password prompt, and paste it to get my command running.
I'd much rather use my Yubikey to authenticate sudo. I can find 101 guides on how to do this when sudoing on on local hosts with the Yubikey plugged into my local hosts, but how can I do this when I want to sudo on a remote host over SSH with the key plugged into my local machine?
Both local and remote hosts are running recent Linux/GNU distros, specifically RHEL/Fedora if it makes a difference.
Best Answer
There is
pam_ssh_agent_auth, which does exactly what you need. This package is available for both Fedora and RHEL so the process of setting up and installing is very straight-forward:Add to your
/etc/sudoers:Put your ssh-public key to
/etc/security/authorized_keys(get it from yubikey for example usingssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so)Add a line to the start of
/etc/pam.d/sudo:Then you just add the pkcs11 library to your
ssh-agentand you can runsudowithout password (authenticating using key on the token):This process is also described in the manual page for
pam_ssh_agent_auth.Note that the keys on the yubikey needs to be generated before, but this is described in the Yubico documentation already.