Hi!
Is there something that changed in F42 making forward agent no longer working? I'm logging in using SSH key to a VPS to which I usually log in without any problem.
I then sudo su, but it's asking for a password.
My config is as such:
Host myhost Hostname thatsite.com ForwardAgent Yes User myself IdentityFile ~/.ssh/s1_sca PubkeyAuthentication yes ControlPersist 5m
I copied the old .ssh from my backup so it's all the same files and I do manage to ssh to the server, just not sudo su.
Thank you.
Fred
Hi.
On Mon, 02 Jun 2025 21:32:41 +0700 Frederic Muller wrote:
I copied the old .ssh from my backup so it's all the same files and I do manage to ssh to the server, just not sudo su.
This is thus a change in the sudo configurations, not SSH. AFAIK sudo cannot be configured to authenticate with SSH keys.
Or maybe you have your SSH public key in /root/.ssh/authorized_keys and used: ssh root@myhost
On 02/06/2025 21:45, Francis.Montagnac@inria.fr wrote:
Hi.
On Mon, 02 Jun 2025 21:32:41 +0700 Frederic Muller wrote:
I copied the old .ssh from my backup so it's all the same files and I do manage to ssh to the server, just not sudo su.
This is thus a change in the sudo configurations, not SSH. AFAIK sudo cannot be configured to authenticate with SSH keys.
Or maybe you have your SSH public key in /root/.ssh/authorized_keys and used: ssh root@myhost
of course it can. It worked fine until... I switched to F42. SSH forward to ssh key to the target machine and my user uses that key on the target machine to authenticate and login into sudo.
The target machine hasn't changed at all. My laptop however has.
Well.. I'll do another way for now and will continue trying to fix this and set it up like it was working before, as it's happening to all the VPSes I am connecting to.
Thank you.
Fred
On Mon Jun02'25 10:45:48PM, Frederic Muller wrote:
From: Frederic Muller fred@cm17.com Date: Mon, 2 Jun 2025 22:45:48 +0700 To: users@lists.fedoraproject.org Reply-To: Community support for Fedora users users@lists.fedoraproject.org Subject: Re: ssh forward agent
On 02/06/2025 21:45, Francis.Montagnac@inria.fr wrote:
Hi.
On Mon, 02 Jun 2025 21:32:41 +0700 Frederic Muller wrote:
I copied the old .ssh from my backup so it's all the same files and I do manage to ssh to the server, just not sudo su.
This is thus a change in the sudo configurations, not SSH. AFAIK sudo cannot be configured to authenticate with SSH keys.
Or maybe you have your SSH public key in /root/.ssh/authorized_keys and used: ssh root@myhost
of course it can. It worked fine until... I switched to F42. SSH forward to ssh key to the target machine and my user uses that key on the target machine to authenticate and login into sudo.
The target machine hasn't changed at all. My laptop however has.
Well.. I'll do another way for now and will continue trying to fix this and set it up like it was working before, as it's happening to all the VPSes I am connecting to.
Interesting, passwordless sudo seems quite risky to me (and seems to defeat the purpose of sudo). But can you get access to it through a non-F42 box? It is possible that the remote server has tightened restrictions?
Ranjan
________________________________________
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Mon, 2025-06-02 at 11:50 -0500, Ranjan Maitra via users wrote:
passwordless sudo seems quite risky to me (and seems to defeat the purpose of sudo).
Yes, and no...
If I "sudo something" the password I'm going to type is my own, which I already know. Though it does offer an "are you sure" moment to think before doing something bad.
The other thing it does is only allow specific users to use sudo to do something (however they authenticate), can limit what commands they can use with it, and logs what they do.
"su" is more risky. You have full root access, and the root password, and very little to indicate who did anything to the system.
Having said that, on my system where I am the sole user, I'll only use sudo if I know I'm doing just one thing. If I have to do a series of things, I will "su -" and do them all as root. It's just too tedious to do "sudo some-command" over and over.
Hi.
On Mon, 02 Jun 2025 22:45:48 +0700 Frederic Muller wrote:
On 02/06/2025 21:45, Francis.Montagnac@inria.fr wrote:
AFAIK sudo cannot be configured to authenticate with SSH keys.
of course it can.
Effectively, a search shows that this is possible by configuring sudo with pam_ssh_agent_auth (on the server, the target machine).
It worked fine until... I switched to F42. SSH forward to ssh key to the target machine and my user uses that key on the target machine to authenticate and login into sudo.
The target machine hasn't changed at all. My laptop however has.
F42 removed pam_ssh_agent_auth: https://fedoraproject.org/wiki/Changes/Remove_pam-ssh-agent_component but that should not be the reason.
I would suspect a change in ssh-agent, but looking quickly at the changelog of openssh (F41: 9.8 F42: 9.9) do not show anything related.
Well.. I'll do another way for now and will continue trying to fix this and set it up like it was working before,
Putting pam_ssh_agent_auth in debug mode on the target machine may help, with:
/etc/pam.d/sudo: auth sufficient pam_ssh_agent_auth.so debug ...
On Tue, 2025-06-03 at 15:07 +0930, Tim via users wrote:
On Mon, 2025-06-02 at 11:50 -0500, Ranjan Maitra via users wrote:
passwordless sudo seems quite risky to me (and seems to defeat the purpose of sudo).
[...]
Having said that, on my system where I am the sole user, I'll only use sudo if I know I'm doing just one thing. If I have to do a series of things, I will "su -" and do them all as root. It's just too tedious to do "sudo some-command" over and over.
Exactly.
poc
On Tue, 03 Jun 2025 10:43:37 +0100 "Patrick O'Callaghan" pocallaghan@gmail.com wrote:
On Tue, 2025-06-03 at 15:07 +0930, Tim via users wrote:
On Mon, 2025-06-02 at 11:50 -0500, Ranjan Maitra via users wrote:
passwordless sudo seems quite risky to me (and seems to defeat the purpose of sudo).
[...]
Having said that, on my system where I am the sole user, I'll only use sudo if I know I'm doing just one thing. If I have to do a series of things, I will "su -" and do them all as root. It's just too tedious to do "sudo some-command" over and over.
Exactly.
poc
What about "sudo bash" for same result?
On 03/06/2025 13:15, Francis.Montagnac@inria.fr wrote:
Hi.
On Mon, 02 Jun 2025 22:45:48 +0700 Frederic Muller wrote:
On 02/06/2025 21:45, Francis.Montagnac@inria.fr wrote:
AFAIK sudo cannot be configured to authenticate with SSH keys.
of course it can.
Effectively, a search shows that this is possible by configuring sudo with pam_ssh_agent_auth (on the server, the target machine).
It worked fine until... I switched to F42. SSH forward to ssh key to the target machine and my user uses that key on the target machine to authenticate and login into sudo. The target machine hasn't changed at all. My laptop however has.
F42 removed pam_ssh_agent_auth: https://fedoraproject.org/wiki/Changes/Remove_pam-ssh-agent_component but that should not be the reason.
I would suspect a change in ssh-agent, but looking quickly at the changelog of openssh (F41: 9.8 F42: 9.9) do not show anything related.
Well.. I'll do another way for now and will continue trying to fix this and set it up like it was working before,
Putting pam_ssh_agent_auth in debug mode on the target machine may help, with:
/etc/pam.d/sudo: auth sufficient pam_ssh_agent_auth.so debug ...
Thank you for all your research. So answer several posts in one message and explaining more:
I did install F40 in a virtual machine and... it didn't work too.
I am actually SSH'ing from Fedora 42 to a VPS running Ubuntu 20.04. pam has been configured long time ago (probably in May 2020) and use to work fine until... now. So I thought it was coming from my Fedora update from 40 to 42 but apparently not.
I will follow your indications (@Francis) and try to figure out why this is no longer working.
Thank you and more at the next episode. :-)
Fred
On 03/06/2025 18:32, Frederic Muller wrote:
debugging...
So I am getting this for the /var/log/auth.log
[...]
Jun 3 18:54:09 airport1 sudo[2371]: pam_ssh_agent_auth: trying public key file /etc/security/authorized_keys Jun 3 18:54:09 host sudo[2371]: pam_ssh_agent_auth: auth_secure_filename: checking for uid: 0 Jun 3 18:54:09 host sudo[2371]: pam_ssh_agent_auth: secure_filename: checking '/etc/security' Jun 3 18:54:09 host sudo[2371]: pam_ssh_agent_auth: secure_filename: checking '/etc' Jun 3 18:54:09 host sudo[2371]: pam_ssh_agent_auth: secure_filename: checking '/' Jun 3 18:54:09 host sudo[2371]: pam_ssh_agent_auth: key not found Jun 3 18:54:09 host sudo[2371]: pam_ssh_agent_auth: Failed Authentication: `user' as `user' using /etc/security/authorized_keys
Any idea why this is happening? I check the authorized_keys and it's there, and it's the same as the /home/user/.ssh/authorized_keys and the key.pub for that user on my local machine.
Baffled!
Thanks.
Fred
On Tue, 2025-06-03 at 10:45 +0000, Bob Marčan via users wrote:
Having said that, on my system where I am the sole user, I'll only use sudo if I know I'm doing just one thing. If I have to do a series of things, I will "su -" and do them all as root. It's just too tedious
BTW, it's "sudo -i"
to do "sudo some-command" over and over.
Exactly.
poc
What about "sudo bash" for same result?
Not the same:
-i, --login Run the shell specified by the target user's password database entry as a login shell. This means that login-specific re‐ source files such as .profile, .bash_profile, or .login will be read by the shell.
"sudo bash" will not run the login resources.
poc
On Tue, 03 Jun 2025 13:06:18 +0100 "Patrick O'Callaghan" pocallaghan@gmail.com wrote:
On Tue, 2025-06-03 at 10:45 +0000, Bob Marčan via users wrote:
Having said that, on my system where I am the sole user, I'll only use sudo if I know I'm doing just one thing. If I have to do a series of things, I will "su -" and do them all as root. It's just too tedious
BTW, it's "sudo -i"
to do "sudo some-command" over and over.
Exactly.
poc
What about "sudo bash" for same result?
Not the same:
-i, --login Run the shell specified by the target user's password database entry as a login shell. This means that login-specific re‐ source files such as .profile, .bash_profile, or .login will be read by the shell."sudo bash" will not run the login resources.
poc
That's exactly what I want.
On Tue, 03 Jun 2025 19:00:06 +0700 Frederic Muller wrote:
Jun 3 18:54:09 host sudo[2371]: pam_ssh_agent_auth: Failed Authentication: `user' as `user' using /etc/security/authorized_keys
Any idea why this is happening? I check the authorized_keys and it's there, and it's the same as the /home/user/.ssh/authorized_keys and the key.pub for that user on my local machine.
Your ssh-agent is perhaps using different keys than the ones present in /etc/security/authorized_keys.
Can you check that ?
With "ssh-add -L" for example on the target machine
~/.ssh/s1_sca is perhaps not encrypted and allowing thus to ssh without using ssh-agent.
Also what is the type of the dedicated key ? This old pam_ssh_agent_auth may not know the new types as ed25519
A modern version of pam_ssh_agent_auth specify supporting explicitely only some types. See: https://github.com/z4yx/pam_rssh
On Tue, Jun 3, 2025 at 8:00 AM Frederic Muller fred@cm17.com wrote:
Any idea why this is happening? I check the authorized_keys and it's there, and it's the same as the /home/user/.ssh/authorized_keys and the key.pub for that user on my local machine.
Verify the permissions on the relevant files *and* directories. I know ssh is picky about such, no idea if it applies in your specific case.
Tim:
Having said that, on my system where I am the sole user, I'll only use sudo if I know I'm doing just one thing. If I have to do a series of things, I will "su -" and do them all as root. It's just too tedious to do "sudo some-command" over and over.
poc:
Exactly.
Bob Marčan:
What about "sudo bash" for same result?
I find when I'm doing admin tasks, not only do I issue commands to do things, I'm listing directories, changing directories, creating config files and making notes. I really want a full normal environment, and I want to know what it is.
Just trying "sudo bash" on a non-Fedora box (where I am at the moment), I notice that "echo $PATH" is different from "su -" as just one simple test.
poc:
"sudo bash" will not run the login resources.
Bob Marčan:
That's exactly what I want.
"su" without the dash after it will do that, too. But horses for courses applies (*you* do what *you* need).
On Wed, 04 Jun 2025 01:33:40 +0930 "Tim via users" users@lists.fedoraproject.org wrote:
poc:
"sudo bash" will not run the login resources.
Bob Marčan:
That's exactly what I want.
"su" without the dash after it will do that, too. But horses for courses applies (*you* do what *you* need).
True. But "sudo bash" ask you for password?
On Tue, 2025-06-03 at 13:06 +0100, Patrick O'Callaghan wrote:
Having said that, on my system where I am the sole user, I'll only use sudo if I know I'm doing just one thing. If I have to do a series of things, I will "su -" and do them all as root. It's just too tedious
BTW, it's "sudo -i"
My bad. I misread your version as 'sudo -', which is an error. Personally I always use 'sudo -i' to skip having to type the root password (this is on my personal machine with no other users).
poc
Tim:
Having said that, on my system where I am the sole user, I'll only use sudo if I know I'm doing just one thing. If I have to do a series of things, I will "su -" and do them all as root. It's just too tedious
Bob Marčan:
BTW, it's "sudo -i"
No, it's not. When I said I typed "su -" I meant that I typed "su -".
I'm not sudo-ing when I'm doing a plethora of things, I've become root with the "su" command, and using "su -" with the added dash I'm in their environment, too.
Once upon a time, Tim ignored_mailbox@yahoo.com.au said:
Bob Marčan:
BTW, it's "sudo -i"
No, it's not. When I said I typed "su -" I meant that I typed "su -".
I'm not sudo-ing when I'm doing a plethora of things, I've become root with the "su" command, and using "su -" with the added dash I'm in their environment, too.
Which is what "sudo -i" does, without the superfluous "su -". And you can use "sudo -s" instead of "sudo su" too.
I don't know where the idea that you need to run a second super-user tool from the first super-user tool came from.
Bob Marčan:
BTW, it's "sudo -i"
Tim:
No, it's not. When I said I typed "su -" I meant that I typed "su -".
Chris Adams:
Which is what "sudo -i" does, without the superfluous "su -". And you can use "sudo -s" instead of "sudo su" too.
I don't know where the idea that you need to run a second super-user tool from the first super-user tool came from.
Dunno why people find this so hard to understand, or why people are erroneously correcting what they *think* I was doing.
I was not typing sudo anything, not sudo su anything, just "su -". If I was typing "sudo su <something or other">, I would have said so. When I say I'm doing something, take it as read that *that* is exactly what I'm doing, don't interpret it into something else.
For *decades* if you are logged in as yourself, and want to temporarily do something as the root user, *one* technique has been to simply type in "su -" in your command line hit enter, and enter the root password at the prompt. From then on, you are logged in as root. Very simple. You can do a collection of tasks, related or not, simply by doing them.
For example: [tim@rocky ~]$ su - Password: Last login: Wed Jun 4 01:29:37 ACST 2025 on pts/7 [root@rocky ~]# ll /etc/httpd/conf.d
Yes, there are risks. And there are risks with doing "sudo <command>" as yourself, too. But the results are entirely predictable (which hasn't always been the case with sudo, in the past, at least). And it is less typing, too.
Chris Adams wrote:
Once upon a time, Tim ignored_mailbox@yahoo.com.au said:
Bob Marčan:
BTW, it's "sudo -i"
No, it's not. When I said I typed "su -" I meant that I typed "su -".
I'm not sudo-ing when I'm doing a plethora of things, I've become root with the "su" command, and using "su -" with the added dash I'm in their environment, too.
Which is what "sudo -i" does, without the superfluous "su -". And you can use "sudo -s" instead of "sudo su" too.
I don't know where the idea that you need to run a second super-user tool from the first super-user tool came from.
I'm pretty sure Tim isn't running "sudo su -" but simply using "su -".
That said, there are configs and/or sudo releases where "sudo -i" did or does not clean the environment as well as is needed. This seems to have been resolved in later versions of sudo (whether in the code or the default configurations, I don't know nor am I curious enough to poke more at the moment).
But on some long-unsupported releases of CentOS, I have "__git_ps1()" in my PS1 and using "sudo -i" leaves that in place, resulting in an error each time the prompt is displayed:
-bash: __git_ps1: command not found
That made "sudo su -" more appealing in at least one case that I cared about.
I generally agree that the combination isn't needed in most cases. But there are exceptions (or at least there were, for long enough that habits and muscle memory comes into play). :)
Despite more modern CentOS Stream/RHEL/Rocky/etc having PS1 and PS2 in the env_keep list (while Fedora removed it per rhbz#1676925 in 2019¹), they no longer pass along my PS1 with "__git_ps1()" in it. Since that's not something I really want to happen, I haven't dug into exactly why.
¹ https://bugzilla.redhat.com/1676925
-
Bob Marčan -
Chris Adams -
Francis.Montagnac@inria.fr -
Frederic Muller -
Go Canes -
Patrick O'Callaghan -
Ranjan Maitra -
Tim -
Todd Zullinger