SudoPK
Slides from the LISA '08 talk on SudoPK. 

Allows SSH public key authentication over the agent-forwarding channel
when using sudo.

Apply to OpenBSD 4.3-stable by doing:
	cd /usr/src
	patch -p0 < sudopk.patch

Rebuild and install ssh:
	cd usr.bin/ssh
	make
	make install

Rebuild and install sudo:
	cd usr.bin/ssh
	make
	make install

Comments:

Tested on OpenBSD 4.3.  It should work on other OSes that have
bsd_auth.  The new login_pubkey module is controlled through
login.conf.  The easiest way to is add it to the auth-defaults line:

auth-defaults:auth=passwd,pubkey,test,skey:

Sudo is now able to access the module using the -a flag:

	sudo -a pubkey ls

The sudo app still prompts for a password, but whatever you type is
unused.

Make sure you have an ssh-agent running on your local host and the
agent forwarded to the host with login_pubkey.  Any key you use should
be added with:

	 ssh-add -c

to prevent a compromised remote host from hijacking your agent
session.  (This is a general problem with agent forwarding.)