[RFC PATCH 0/4] PAM module for ssh-agent user authentication

Domenico Andreoli cavokz at gmail.com
Tue Jul 21 19:26:12 AEST 2020

On Tue, Jul 21, 2020 at 09:20:50AM +0100, Brian Candler wrote:
> On 21/07/2020 05:46, Nico Kadel-Garcia wrote:
> > On Mon, Jul 20, 2020 at 9:28 PM Domenico Andreoli<cavokz at gmail.com>  wrote:
> > > Hi,
> > > 
> > > The main (and probably the only) use case of this PAM module is to let
> > > sudo authenticate users via their ssh-agent, therefore without having
> > > to type any password and without being tempted to use the NOPASSWD sudo
> > > option for such convenience.
> > Why? In order to keep your original agent accessible, you'd have to
> > open up permissions to the socket to the other user without using
> > group membership, namely open it to to the world and maybe hiding it
> > by obscurity. Why wouldn't you simply put the public SSH key in the
> > target account, maybe restricting access to loclahost, and use "ssh -A
> > localhost -l targetaccount".
> > 
> I don't think the target user requires access to the agent socket - that is,
> it's normal to be able to sudo from user A to user B, without being able to
> sudo in turn from user B to user C.  In the case where user B is a daemon
> account, it probably has no sudo rights anyway.

I use sudo to become root, the socket permissions are not an issue. When
I want to switch to another user, I use 'sudo su -'. Again, no issue
with the permissions.

Thanks to Nico I discovered that if I have sshd, sudo is really not needed.

Said that, I've just realized the my module is still useful in those
situations where you don't have sshd.

Does it add any value providing it for such cases?


rsa4096: 3B10 0CA1 8674 ACBA B4FE  FCD2 CE5B CF17 9960 DE13
ed25519: FFB4 0CC3 7F2E 091D F7DA  356E CC79 2832 ED38 CB05

More information about the openssh-unix-dev mailing list