[RFC PATCH 0/4] PAM module for ssh-agent user authentication

Nico Kadel-Garcia nkadel at gmail.com
Tue Jul 21 14:46:40 AEST 2020

On Mon, Jul 20, 2020 at 9:28 PM Domenico Andreoli <cavokz at gmail.com> wrote:
> Hi,
> The main (and probably the only) use case of this PAM module is to let
> sudo authenticate users via their ssh-agent, therefore without having
> to type any password and without being tempted to use the NOPASSWD sudo
> option for such convenience.

Why? In order to keep your original agent accessible, you'd have to
open up permissions to the socket to the other user without using
group membership, namely open it to to the world and maybe hiding it
by obscurity. Why wouldn't you simply put the public SSH key in the
target account, maybe restricting access to loclahost, and use "ssh -A
localhost -l targetaccount".

> The principle is originally implemented by an existing module [0][1]
> and many pages that explain how to use it for such purpose can be
> found online.
> Why then this new implementation?
> A few reasons:
> - it's way smaller, more simple and easier to audit
> - it wants to remain as such
> - it reuses everything from openssh-portable; no novel, outdated or
>   alternative crypto implementations
> - it's based on openssh-portable so it supports all the algorithms that
>   ssh-agent does (eg. ecdsa-sk, ed25519-sk, pkcs#11, ... yuk!)

Or you can avoid sudo altogether and keep it quite auditable by using
public key based access for the target accounts.

More information about the openssh-unix-dev mailing list