[RFC PATCH 0/4] PAM module for ssh-agent user authentication

Peter Moody mindrot at hda3.com
Tue Jul 21 13:24:45 AEST 2020 

I wrote something a lot like this when I was at uber

  https://github.com/pmoody-/pam-ussh

(the uber version is here: https://github.com/uber/pam-ussh)


On Mon, Jul 20, 2020 at 6:29 PM Domenico Andreoli <cavokz at gmail.com> wrote:
>
> Hi,
>
> The main (and probably the only) use case of this PAM module is to let
> sudo authenticate users via their ssh-agent, therefore without having
> to type any password and without being tempted to use the NOPASSWD sudo
> option for such convenience.
>
> The principle is originally implemented by an existing module [0][1]
> and many pages that explain how to use it for such purpose can be
> found online.
>
>
> Why then this new implementation?
>
> A few reasons:
> - it's way smaller, more simple and easier to audit
> - it wants to remain as such
> - it reuses everything from openssh-portable; no novel, outdated or
>   alternative crypto implementations
> - it's based on openssh-portable so it supports all the algorithms that
>   ssh-agent does (eg. ecdsa-sk, ed25519-sk, pkcs#11, ... yuk!)
>
>
> Now, the natural place for this, I think, is right with openssh-portable.
>
> Is there, maybe, by any chance, a way to merge it there?
>
> This is a critical piece of software for those who use it and needs
> to be well guarded. It has super healthy tests, the maintenance effort
> can reimain low and easy.
>
>
> A few things that are missing:
> - man page
> - installation
> - support for multiple keys in the auth file
>
>
> I'm also asking to the Linux PAM people to double-check my usage of PAM.
>
> Regards,
> Domenico
>
> [0] https://github.com/jbeverly/pam_ssh_agent_auth
> [1] https://sourceforge.net/projects/pamsshagentauth/
>
> --
> rsa4096: 3B10 0CA1 8674 ACBA B4FE  FCD2 CE5B CF17 9960 DE13
> ed25519: FFB4 0CC3 7F2E 091D F7DA  356E CC79 2832 ED38 CB05
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list