I use gpg-agent to manage ssh-agent.
On my PC: ssh-add -L prints my public keys which is used on the server. ForwardAgent is open. pam.d/sudo and sudoers are configured.
After ssh user@host, echo $SSH_AUTH_SOCK print the gpg-agent one. If running sudo -i or other command with sudo, it asks password.
If using ssh user@host 'bash' or other shell, then sudo can run without asking password. By the way, this method will not print any prompt of shell, such as $ .
Set pam.d/sudo with auth ... debug, and get the log:
Nov 10 16:46:23 nixos sudo[30150]: pam_ssh_agent_auth: Beginning pam_ssh_agent_auth for user vonfry Nov 10 16:46:23 nixos sudo[30150]: pam_ssh_agent_auth: Attempting authentication: `vonfry' as `vonfry' using ~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u Nov 10 16:46:23 nixos sudo[30150]: pam_ssh_agent_auth: Contacted ssh-agent of user vonfry (1000) Nov 10 16:46:23 nixos gpg-agent[4022]: scdaemon[4022]: pcsc_establish_context failed: no service (0x8010001d) Nov 10 16:46:23 nixos sudo[30150]: pam_ssh_agent_auth: Failed Authentication: `vonfry' as `vonfry' using ~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u On the server, gpg-agent is listed in htop owned by my ssh login user and gpg-connect-agent can work. TTY and GPG_TTY are the same.
htop showed gpg-agent has a subprocess scdaemon --multi-server
I tried to search around gpg-agent[4022]: scdaemon[4022]: pcsc_establish_context failed: no service (0x8010001d), but got nothing useful.
EDIT1: If I kill the ssh login user's gpg-agent daemon, the sudo can work without password.
