We use pam_ssh_agent_auth as our only form of sudo auth, like so:

$ cat /etc/pam.d/sudo
#%PAM-1.0
auth       sufficient   pam_ssh_agent_auth.so authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys
auth       required     pam_env.so
auth       required     pam_deny.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so

Our site uses Oracle Enterprise Linux (which essentially tracks RHEL of the same version).

On our OEL6 systems, with sudo-1.8.6p3-29.el6_9.x86_64 and similar, this works fine.

On our OEL7 systems with 1.8.6p7-23.el7_3 , it works fine.

However, OEL7 just got 1.8.19p2-10.el7 , and on those systems it fails.

More interestingly, it fails *unless* we add:

Defaults                         env_keep+="SSH_AUTH_SOCK"

to /etc/sudoers; if we do that, it works fine.

So it looks like between those versions, something changed in how the environment gets scrubbed such that the PAM step doesn't have access to SSH_AUTH_SOCK

Since we're trying to stop users from changing to other users, we'd really prefer *not* to pass SSH_AUTH_SOCK through sudo, so we're really hoping there's some other solution.