sudopk: sudo auth via ssh-agent - port to Ubuntu?

Neal McBurnett neal at
Wed Dec 17 05:16:58 UTC 2008

I like the standard use of sudo in Ubuntu, for logging, extra
security, etc.  But it can be risky to type a password into a remote
machine for sudo, e.g. a remote server or EC2 virtual machine.  If the
remote machine is compromised, the password could be exposed and that
might open up other machines to compromise.

Instead I'd like to get ssh-agent involved: sudo on the remote machine
can do a challenge-response via its ssh-agent socket to get the local
machine's ssh-agent to authenticate.

This was requested a few years ago at:

and I started thinking about it again given the EC2 beta.

I just found that the recent USENIX LISA conference had a paper on an
implementation of this for OpenBSD 4.2 using the BSD Authentication
framework, which is like PAM:

An openbsd patch is at

Anyone up for porting that to Ubuntu, perhaps via PAM?

I've written one of the authors, Matthew Burnside, and he is happy to
help anyone who wants to do it, but won't have time to do so soon

Neal McBurnett       

More information about the ubuntu-server mailing list