[RFC PATCH 0/4] PAM module for ssh-agent user authentication

Domenico Andreoli cavokz at gmail.com
Tue Jul 21 11:06:13 AEST 2020


The main (and probably the only) use case of this PAM module is to let
sudo authenticate users via their ssh-agent, therefore without having
to type any password and without being tempted to use the NOPASSWD sudo
option for such convenience.

The principle is originally implemented by an existing module [0][1]
and many pages that explain how to use it for such purpose can be
found online.

Why then this new implementation?

A few reasons:
- it's way smaller, more simple and easier to audit
- it wants to remain as such
- it reuses everything from openssh-portable; no novel, outdated or
  alternative crypto implementations
- it's based on openssh-portable so it supports all the algorithms that
  ssh-agent does (eg. ecdsa-sk, ed25519-sk, pkcs#11, ... yuk!)

Now, the natural place for this, I think, is right with openssh-portable.

Is there, maybe, by any chance, a way to merge it there?

This is a critical piece of software for those who use it and needs
to be well guarded. It has super healthy tests, the maintenance effort
can reimain low and easy.

A few things that are missing:
- man page
- installation
- support for multiple keys in the auth file

I'm also asking to the Linux PAM people to double-check my usage of PAM.


[0] https://github.com/jbeverly/pam_ssh_agent_auth
[1] https://sourceforge.net/projects/pamsshagentauth/

rsa4096: 3B10 0CA1 8674 ACBA B4FE  FCD2 CE5B CF17 9960 DE13
ed25519: FFB4 0CC3 7F2E 091D F7DA  356E CC79 2832 ED38 CB05

More information about the openssh-unix-dev mailing list