Getting pam_ssh_agent_auth to work with Ansible

pam_ssh_agent_auth lets you use your ssh keys inside ssh-agent, that you forward in your ssh client connections to subsequently give you passwordless sudo via a destination side list of trusted public keys.

This can be used with ansible which often needs root permissions, details below:

  1. There is a good (ubuntu specific) guide to setting pam_ssh_agent_auth up here for “normal” non-Ansible tasks.
  2. Next ensure you are running ssh-agent and your key is enrolled.
  3. Also ensure you are actually forwarding your ssh-agent (eg with ForwardAgent yes in ~/.ssh/config
  4. In your ansible.cfg, add -o ForwardAgent=yes to ssh_args
  5. Also in ansible.cfg, remove -n from sudo_flags (or you can customize this on a per-host basis in your inventory file, with the ansible_sudo_flags directive.
  6. Run your playbook with sudo or become directives as necessary.