Add role sudo_by_ssh_agent

huyz · huyz · commit a769269c5816 · 2023-03-11T20:33:51.000-08:00
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -13,12 +13,14 @@ Release Summary
 
 | Release Date: 2023-03-09
 | Initial release of the password_prompt role
+| Initial release of the sudo_by_ssh_agent role
 
 
 Major Changes
 -------------
 
 - prompt_password - initial commit
+- sudo_by_ssh_agent - initial commit
 
 v1.0.2
 ======
diff --git a/README.md b/README.md
@@ -11,11 +11,15 @@ This Ansible collection contains roles for general use.
 Roles:
 
 - `huyz.general.add_to_config_file` ([README](https://github.com/huyz/ansible-collection-huyz-general/blob/master/roles/add_to_config_file/README.md))
-    - Function: Safely insert a block into one or more shell config files
-    - Use case: Mainly intended to be re-used by other roles
+    - Function: Safely insert a block into one or more shell config files.
+    - Use case: Mainly intended to be re-used by other roles.
 - `huyz.general.prompt_password` ([README](https://github.com/huyz/ansible-collection-huyz-general/blob/master/roles/prompt_password/README.md))
     - Function: Prompts for the `ansible_password` if not defined.
-    - Use case: Avoid the need to call `ansible-playbook` with `--ask-pass` and `--ask-become-pass`
+    - Use case: Avoid the need to call `ansible-playbook` with `--ask-pass` and `--ask-become-pass`.
+- `huyz.general.sudo_by_ssh_agent` ([README](https://github.com/huyz/ansible-collection-huyz-general/blob/master/roles/sudo_by_ssh_agent/README.md))
+    - Function: Configures sudo to use the `libpam-ssh-agent-auth` package and
+      authorize the provided ssh key.
+    - Use case: Avoid the need to authenticate with a password to run privileged commands.
 
 ---
 
diff --git a/changelogs/changelog.yaml b/changelogs/changelog.yaml
@@ -17,12 +17,16 @@ releases:
     changes:
       major_changes:
       - prompt_password - initial commit
+      - sudo_by_ssh_agent - initial commit
       release_summary: '| Release Date: 2023-03-09
 
         | Initial release of the password_prompt role
 
+        | Initial release of the sudo_by_ssh_agent role
+
         '
     fragments:
     - 2023-03-09_prompt_password.yml
+    - 2023-03-09_sudo_by_ssh_agent.yml
     - 2023-03-09_v1.0.3_summary.yml
     release_date: '2023-03-09'
diff --git a/changelogs/fragments/2023-03-09_sudo_by_ssh_agent.yml b/changelogs/fragments/2023-03-09_sudo_by_ssh_agent.yml
@@ -0,0 +1,2 @@
+major_changes:
+  - sudo_by_ssh_agent - initial commit
diff --git a/changelogs/fragments/2023-03-09_v1.0.3_summary.yml b/changelogs/fragments/2023-03-09_v1.0.3_summary.yml
@@ -1,3 +1,4 @@
 release_summary: |
   | Release Date: 2023-03-09
   | Initial release of the password_prompt role
+  | Initial release of the sudo_by_ssh_agent role
diff --git a/roles/sudo_by_ssh_agent/README.md b/roles/sudo_by_ssh_agent/README.md
@@ -0,0 +1,28 @@
+# Ansible role: huyz.general.sudo_by_ssh_agent
+
+Configures sudo to use the `libpam-ssh-agent-auth` package and authorize the
+provided ssh key.
+
+## Installation
+
+This repo uses the FQCN convention.
+
+Include the collection in the Ansible Galaxy `requirements.yml`:
+
+```shell
+---
+collections:
+  - name: huyz.general
+```
+
+You can then include the role `huyz.general.sudo_by_ssh_agent`.
+
+## Example
+
+```yaml
+    - name: Authorize sudo by ssh agent
+      ansible.builtin.include_role:
+        name: huyz.general.sudo_by_ssh_agent
+      vars:
+        pub_files_for_sudo: ['~/.ssh/id_ed25519-vip.pub']
+```
diff --git a/roles/sudo_by_ssh_agent/tasks/main.yml b/roles/sudo_by_ssh_agent/tasks/main.yml
@@ -0,0 +1,41 @@
+# Requires vars:
+# - pub_files_for_sudo: list of full path of the public keys to use for sudo
+---
+- name: Ensure libpam-ssh-agent-auth package
+  ansible.builtin.package:
+    name: libpam-ssh-agent-auth
+  become: true
+
+- name: Add to sudo authorized_keys the content of {{ pub_files_for_sudo }}
+  ansible.posix.authorized_key:
+    user: root  # dummy
+    key: "{{ lookup('file', item) }}"
+    path: /etc/security/authorized_keys
+    manage_dir: false
+  become: true
+  loop: "{{ pub_files_for_sudo }}"
+
+# Per https://www.lorier.net/docs/ssh-agent-sudo.html
+- name: Enable pam_ssh_agent_auth for sudo
+  ansible.builtin.blockinfile:
+    dest: /etc/pam.d/sudo
+    marker: "# {mark} ANSIBLE MANAGED BLOCK: {{ block_id }}"
+    insertbefore: "@include common-auth"
+    block: |
+      # Allow sudo by ssh agent
+      auth       sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys
+  vars:
+    block_id: sudo_by_ssh_agent
+  become: true
+
+# Per https://www.lorier.net/docs/ssh-agent-sudo.html
+- name: Preserve SSH_AUTH_SOCK for sudo
+  ansible.builtin.blockinfile:
+    dest: /etc/sudoers
+    marker: "# {mark} ANSIBLE MANAGED BLOCK: {{ block_id }}"
+    insertafter: '#Defaults:%sudo env_keep \+= "SSH_AGENT_PID SSH_AUTH_SOCK"'
+    block: |
+      Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"
+  vars:
+    block_id: sudo_by_ssh_agent
+  become: true

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+major_changes:`
	`2`	`+ - sudo_by_ssh_agent - initial commit`