Restrict sudo to keys

As was described in the previous blog post, one can easily increase the flexibility of debian preseeding. It might be worth visiting that post before reading this one, to have the context.

With numbered late commands in place, it is e.g. possible to install an authorized_keys file for the primary user. The host specific preseed file doing that could typically include something along the lines of the example following this paragraph. As can be seen, the login keys are expected to be placed on the pxeserver. A real setup might possibly deploy them through some other means.

d-i preseed/include string common.txt \
    scripting-flexibility.txt \
    debian/11-bullseye.txt \

d-i preseed/numbered_late_command_20 string wget -O \
    /target/tmp/authorized_keys http://pxeserver./files/authorized_keys \
    in-target sudo -u `debconf-get passwd/username` sh -c \
    "cd; cp /tmp/authorized_keys .ssh/ ; chmod 600 .ssh/authorized_keys"

d-i pkgsel/include string libpam-ssh-agent-auth

One can then place something like the block below as auth/sudo-ssh.txt, and passwords become a thing of the past, as those same keys gets copied to also be used for sudoing. Note how including scripting-flexibility.txt enables the use of numbered late commands in two separate files, in a way which late_command by itself would not permit.

d-i preseed/numbered_late_command_90 string in-target \
    cp /home/`debconf-get passwd/username`/.ssh/authorized_keys /etc/security/authorized_keys
d-i preseed/numbered_late_command_91 string mv /target/etc/pam.d/sudo \
d-i preseed/numbered_late_command_92 string for S in '#%PAM-1.0' \
    '' \
    'auth [success=2 default=ignore] file=/etc/security/authorized_keys' \
    '@include common-auth' \
    '@include common-account' \
    '' \
    'session required' \
    'session required'; \
    do echo "$S" >> /target/etc/pam.d/sudo ; done
d-i preseed/numbered_late_command_93 string \
    echo 'Defaults    env_keep += "SSH_AUTH_SOCK"' > \
    /target/etc/sudoers.d/00-ssh-auth-sock ; \
    chmod 440 /target/etc/sudoers.d/00-ssh-auth-sock

To clarify, the snippet above makes sudo use ssh keys to authorize users. Please do make sure the libpam-ssh-agent-auth package gets installed, and that keys are available when numbered_late_command_90 runs. Otherwise becoming root might become a bit tricky.

2020-04-19 13:40:35 +0000
Thoughts and feedback may be directed at me using the channel listed on my contact page.

Previous post Next post