Skip to main content

Sudo authorization

You can use the authentik Agent to authorize sudo elevation when connected to a Linux endpoint device via SSH.

When you run a sudo command in this situation, the sudo authorization will be handled by the authentik Agent.

Prerequisites

Configure sudo authorization on an endpoint device

If you want a Linux Endpoint Device to support authorizing using authentik credentials, you will need to install the libpam-authentik package in addition to the authentik Agent. This is a PAM Module, which provides token-based and interactive authentication via authentik.

Authorization is only possible if the Linux device is aware of the authentik user which is attempting to authorize. This can be achieved in one of two ways:

  1. Provision user accounts - Create users on the Linux device with usernames that match authentik users that need to authorize sudo to the device. This can be done manually or via automation tools like Ansible.
  2. libnss-authentik - This is a package that can be installed on the Linux device. It is an NSS module that makes the Linux device aware of authentik users. Similar to adding a Linux device to an Active Directory or LDAP domain.

Install the libpam-authentik package (required)

Prerequisites

You must have already deployed and configured the authentik Agent on the device.

Run the following command to install the libpam-authentik package:

sudo apt install libpam-authentik

Install the libnss-authentik package (optional)

Run the following command to install the libnss-authentik package:

sudo apt install libnss-authentik