Hi Felix, Felix Lechner writes: [...] >> I'd like to execute sudo without having to set and enter a password [1] >> and that PAM module is needed well, the above description is misleading :-( > You could also add a line like this to your /etc/sudoers (but I don't > recommend it) > > user_name ALL=(ALL) NOPASSWD:ALL actually I don't want to disable authentication, I'd like to: --8<---------------cut here---------------start------------->8--- permit anyone who has an SSH_AUTH_SOCK that manages the private key matching a public key in /etc/security/authorized_keys to execute sudo without having to enter a password. Note that the ssh-agent listening to SSH_AUTH_SOCK can either be local, or forwarded. Unlike NOPASSWD, this still requires an authentication, it's just that the authentication is provided by ssh-agent, and not password entry. --8<---------------cut here---------------end--------------->8--- (from https://pamsshagentauth.sourceforge.net/) >> is someone already using such a configuration in a Guix System? > > Not quite. I added my public ssh key to root's authorized_keys. It's > different from what you are looking for but gives you a root prompt > with 'ssh root@localhost`. mumble... I wonder if this works with a forwarded ssh-agent (this means that you don't need your private ssh key on the remote host to do that ssh) > I did it because it's required for 'guix deploy'. > > Personally, I have not used the SSH agent, but it's an interesting > avenue. I use Kerberos instead, which is probably the gold standard > for distributed authentication. You are doing the right thing by > thinking about your options. I never used kerberos (I should learn it) but if possible I'd like to avoid to install and configure extra services; ssh is ubiquitous and installing and configuring an ssh-agent on the client /maybe/ is easier than a kerberos client [...] Thanks! Gio' -- Giovanni Biscuolo Xelera IT Infrastructures