Ubuntu – Key Authentication Issues with SSH or Rsync as Sudo

passwordrsyncsshsudoUbuntu

I have ssh RSA key authentication setup between a client and an ubuntu server (following this procedure):
-the RSA key authentication for ssh and rsync work fine (no need for password).
-the RSA key authentication for sudo rsync and sudo ssh fails (I'm prompted for a password).
-I need to use sudo rsync to write the remote files locally.

I'm running the command as follows:

user1@server:/$ sudo su user2
user2@server:/$ rsync 192.168.1.2:... # ok
user2@server:/$ sudo rsync 192.168.1.2:... # remote host password prompt

FYI both user1 and user2 are part of sudoers

Any idea where that could be coming from?

Thanks.

updated: to clarify, the password prompt is not coming from sudo but from the server

Best Answer

You need to tell it to use the correct public key. I suspect ssh is still using user1's key, not user2. Use this command:

sudo -u user2 ssh -i ~user2/.ssh/id_rsa remoteserver

I tested this on my machine and it worked.

Related Solutions

SSH Authentication – How to Make SSH Fail Rather Than Prompt for Password

For OpenSSH there is BatchMode, which in addition to disabling password prompting, should disable querying for passphrase(s) for keys.

BatchMode

If set to “yes”, passphrase/password querying will be disabled. This option is useful in scripts and other batch jobs where no user is present to supply the password. The argument must be “yes” or “no”. The default is “no”.

Sample usage:

ssh -oBatchMode=yes -l <user> <host> <dostuff>

Ssh-agent forwarding and sudo to another user

As you mentioned, the environment variables are removed by sudo, for security reasons.

But fortunately sudo is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep configuration option in /etc/sudoers.

For agent forwarding, you need to keep the SSH_AUTH_SOCK environment variable. To do so, simply edit your /etc/sudoers configuration file (always using visudo) and set the env_keep option to the appropriate users. If you want this option to be set for all users, use the Defaults line like this:

Defaults    env_keep+=SSH_AUTH_SOCK

man sudoers for more details.

You should now be able to do something like this (provided user1's public key is present in ~/.ssh/authorized_keys in user1@serverA and user2@serverB, and serverA's /etc/sudoers file is setup as indicated above):

user1@mymachine> eval `ssh-agent`  # starts ssh-agent
user1@mymachine> ssh-add           # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA    # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2     # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB         # goto user2@serverB w/o typing pwd again...
user2@serverB>                     # ...because forwarding still works

Best Answer

Related Solutions

SSH Authentication – How to Make SSH Fail Rather Than Prompt for Password

Ssh-agent forwarding and sudo to another user

Related Topic