pam_ssh_agent_auth lets you use your ssh keys inside ssh-agent, that you forward in your ssh client connections to subsequently give you passwordless sudo via a destination side list of trusted public keys.
This can be used with ansible which often needs root permissions, details below:
- There is a good (ubuntu specific) guide to setting pam_ssh_agent_auth up here for “normal” non-Ansible tasks.
- Next ensure you are running ssh-agent and your key is enrolled.
- Also ensure you are actually forwarding your ssh-agent (eg with ForwardAgent yes in ~/.ssh/config
- In your ansible.cfg, add -o ForwardAgent=yes to ssh_args
- Also in ansible.cfg, remove -n from sudo_flags (or you can customize this on a per-host basis in your inventory file, with the ansible_sudo_flags directive.
- Run your playbook with sudo or become directives as necessary.