[RFC PATCH 0/4] PAM module for ssh-agent user authentication

Peter Moody mindrot at hda3.com
Wed Jul 22 03:01:04 AEST 2020


> Having it available as part of openssh would be a useful bridgehead for
> educating users towards better solutions, when available, and anyway
> practically improve the security of the status quo.

I think that something like this might be a better fit in the
Linux-Pam repository.

Having done this before, my big worry was always, how does pam trust
the agent? being able to rw to an unix domain socket doesn't mean that
the ssh-agent at the other end is owned by the user calling sudo. It's
an approximation, and sometimes that approximation is (obviously)
fine. But it seems to me that for the general use-case, this is
stapling functionality to the agent that the protocol wasn't designed
to support.

anyway, my $0.02

Cheers,
peter


More information about the openssh-unix-dev mailing list