SSO, *-agent & PAM

Oswald Buddenhagen ossi at
Sun Jan 15 00:14:05 EST 2006

moin *,

sorry for the cross-post; follow-ups should go to xdg@ (the only one of
those lists i'm subscribed to).

i'm pondering with the idea to implement SingleSignOn based on an
authentication agent like the ones employed by ssh and gnupg. the system
would consist of the two main components:
- fdo-keyagent, certainly a d-bus service
- pam_keyagent. a PAM module that would authenticate users by unlocking
  their key(s) (which one(s), has to be preconfigured somehow -
  ~/.config/keyagent maybe?) and adding them to the agent's cache.
- it might make sense to create libkeyagent that would provide functions
  for key retrieval, etc.  i'm not sure whether it would be better to
  embed ssh-add's equivalent into the agent or into such a library.

the key agent would send notifications when keys exceed their lifetime.
in fact, this is a major missing component of PAM. in this context it
might even make sense to create meta-entries for kerberos tokens and
even unix passwords (with close relation to pam_time/pam_group).

end-user/desktop applications (password managers, ssh, gpg, etc.) would
use the keys stored in the agent - obviously.

a buzz word that comes to mind is x.509 compliance, but i really have no
idea what that would include.

as far as security goes, i really need some input. possible concerns:
- having a central agent for all users might be frowned upon. one could
  make the agent fork a sub-agent for each user, but this would require
  some elaborate IPC.
  plan b is to make fdo-keyagent a meta-agent that would spawn
  ssh-agents, gpg-agents, etc. on demand, ref-count them and do other
  housekeeping. even more "interesting" IPC.
- apps using PAM traditionally have been bad at using mlock, and i
  wouldn't know how to fix this. what do the security experts think
  about this issue?
- having the d-bus daemon in between doesn't exactly help, either. maybe
  it would make sense to use d-bus for the protocol only and setup
  dedicated connections for passphrase and key transfers.

i'm interested in any kind of useful comments, including pointers to
prior art in that area and papers worth reading.

Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
Chaos, panic, and disorder - my work here is done.

More information about the openssh-unix-dev mailing list