Typing passwords is bad. Typing passwords on anything other than your local machine is really bad. Here’s how to use a nice little library to authorise your use of sudo via your already-running SSH agent.

Quick overview: If you are using SSH properly you are using ssh-agent (or gpg-agent) to login to remote servers. Presumably you trust machines you have sudo access on enough to use SSH agent forwarding, so, when SSHing, the remote machine can pull authentication info from your local agent (perhaps popping up a password dialog locally if needed) to use elsewhere. Well, why not require that same information to sudo? If it can pull the authentication, it’s definitely you on your local machine who’s typing the sudo command.

,# apt-get install libpam0g-dev libssl-dev

Download pamsshagentauth. Extract to wherever you put things you are make && make install’ing on your server, then

$ ./configure
$ make
,# make libexecdir=/lib/security install

Now edit the file /etc/pam.d/sudo to replace the line @include common-auth with

auth sufficient pam_ssh_agent_auth.so \
file=%h/.ssh/authorized_keys
auto required pam_deny.so

Finally visudo and add before the Defaults env_reset line

Defaults env_keep += SSH_AUTH_SOCK,timestamp_timeout=0

This makes things work and also removes sudo remembering your authentication—it’s your SSH agent’s job to do that.

sources: 1, 2