[RFC PATCH 0/4] PAM module for ssh-agent user authentication
Domenico Andreoli
cavokz at gmail.com
Tue Jul 21 11:06:13 AEST 2020
Hi,
The main (and probably the only) use case of this PAM module is to let
sudo authenticate users via their ssh-agent, therefore without having
to type any password and without being tempted to use the NOPASSWD sudo
option for such convenience.
The principle is originally implemented by an existing module [0][1]
and many pages that explain how to use it for such purpose can be
found online.
Why then this new implementation?
A few reasons:
- it's way smaller, more simple and easier to audit
- it wants to remain as such
- it reuses everything from openssh-portable; no novel, outdated or
alternative crypto implementations
- it's based on openssh-portable so it supports all the algorithms that
ssh-agent does (eg. ecdsa-sk, ed25519-sk, pkcs#11, ... yuk!)
Now, the natural place for this, I think, is right with openssh-portable.
Is there, maybe, by any chance, a way to merge it there?
This is a critical piece of software for those who use it and needs
to be well guarded. It has super healthy tests, the maintenance effort
can reimain low and easy.
A few things that are missing:
- man page
- installation
- support for multiple keys in the auth file
I'm also asking to the Linux PAM people to double-check my usage of PAM.
Regards,
Domenico
[0] https://github.com/jbeverly/pam_ssh_agent_auth
[1] https://sourceforge.net/projects/pamsshagentauth/
--
rsa4096: 3B10 0CA1 8674 ACBA B4FE FCD2 CE5B CF17 9960 DE13
ed25519: FFB4 0CC3 7F2E 091D F7DA 356E CC79 2832 ED38 CB05
More information about the openssh-unix-dev
mailing list