ssh-agent for sudo authentication with a passwordless account


December 7, 2014

For best security on a public system, it is generally best to disable password-based logins with ssh and instead require authorized keys. However, this complicates things if you want to use sudo with a regular user account, since by default it uses the standard system password to verify the user is authorized to run commands as root.

Enter pam_ssh_agent_auth. This module allows using regular ssh keys and ssh-agent to verify the user has the proper authorization to use sudo.


You’ll want to start by ensuring you have generated ssh keys for your user and are using ssh-agent. To generate the keys:

$ ssh-keygen

Then just accept the defaults, but make sure to set a password for your new key pair. Add the public key to $HOME/.ssh/authorized_keys.


Since the PAM module isn’t in Debian, first grab the build dependencies:

# apt-get install build-essential checkinstall libssl-dev libpam0g-dev

Next, grab the source and build:

# wget
# tar -xvjf pam_ssh_agent_auth-0.10.2.tar.bz2
# cd pam_ssh_agent_auth-0.10.2
# ./configure --libexecdir=/lib/security --with-mantype=man
# make
# checkinstall

Note that the libexecdir option to the configure script is set since apparently Debian keeps PAM modules in a different place than pam_ssh_agent_auth expects by default.


Edit the file /etc/pam.d/sudo and add the following line before any other auth or @include commands:

auth sufficient file=~/.ssh/authorized_keys

Run visudo to edit /etc/sudoers and add this line before any other Defaults lines:

Defaults env_keep += SSH_AUTH_SOCK

Invoking sudo

To actually be able to use sudo now, run ssh-agent like so:

$ eval `ssh-agent`

and add the key:

$ ssh-add -t 600

This will set the keys to timeout in 10 minutes (600 seconds).


A more elegant way of adding keys and running ssh-agent, including checking to see if a process is already running!


  1. How to allow authentication with sudo using an alternate password?
  2. Using SSH agent for sudo authentication
  3. Using ssh-agent with ssh