From owner-freebsd-questions@FreeBSD.ORG  Thu Dec  8 16:45:35 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2C22E1065673
	for <questions@freebsd.org>; Thu,  8 Dec 2011 16:45:35 +0000 (UTC)
	(envelope-from mwlucas@bewilderbeast.blackhelicopters.org)
Received: from bewilderbeast.blackhelicopters.org
	(mwlucas-2-pt.tunnel.tserv9.chi1.ipv6.he.net
	[IPv6:2001:470:1f10:b9c::2])
	by mx1.freebsd.org (Postfix) with ESMTP id C332A8FC1E
	for <questions@freebsd.org>; Thu,  8 Dec 2011 16:45:34 +0000 (UTC)
Received: from bewilderbeast.blackhelicopters.org (localhost [127.0.0.1])
	by bewilderbeast.blackhelicopters.org (8.14.4/8.14.5) with ESMTP id
	pB8GjX6D067849
	for <questions@freebsd.org>; Thu, 8 Dec 2011 11:45:33 -0500 (EST)
	(envelope-from mwlucas@bewilderbeast.blackhelicopters.org)
Received: (from mwlucas@localhost)
	by bewilderbeast.blackhelicopters.org (8.14.4/8.14.5/Submit) id
	pB8GjXCO067848
	for questions@freebsd.org; Thu, 8 Dec 2011 11:45:33 -0500 (EST)
	(envelope-from mwlucas)
Date: Thu, 8 Dec 2011 11:45:33 -0500
From: "Michael W. Lucas" <mwlucas@blackhelicopters.org>
To: questions@freebsd.org
Message-ID: <20111208164533.GA67774@bewilderbeast.blackhelicopters.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.3i
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.6
	(bewilderbeast.blackhelicopters.org [127.0.0.1]);
	Thu, 08 Dec 2011 11:45:34 -0500 (EST)
Cc: 
Subject: PAM confusion
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Dec 2011 16:45:35 -0000

Hi,

I'm attempting to hook security/pam_ssh_agent_auth into sudo, and have
learned that PAM doesn't work the way I thought it did.

I'm running FreeBSD-9/i386, with sudo 1.7.2.6.

My goal is that sudo pass all auth requests back to the users' SSH
agent.  Sudo should never use passwords for authentication. If the
user doesn't have an SSH agent, or if the SSH agent breaks somehow,
the sudo request is denied.

With my current config, sudo requests are accepted without a password
even if the users' environment has no $SSH_AUTH_SOCK. I'm obviously
doing something wrong.

Here's my pam.d/sudo. I removed password settings and required the
pam_ssh_agent_auth library.

---
#auth           include         system
auth            required        /usr/local/lib/pam_ssh_agent_auth.so file=~/.ssh/authorized\
_keys

# account
account         include         system

# session
# XXX: pam_lastlog (used in system) causes users to appear as though
# they are no longer logged in in system logs.
session         required        pam_permit.so

# password
#password       include         system
---

Any suggestions what I'm doing wrong?

Thanks,
==ml

-- 
Michael W. Lucas 	
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Latest book: Network Flow Analysis http://www.networkflowanalysis.com/
mwlucas@BlackHelicopters.org, Twitter @mwlauthor