[RFC PATCH 0/4] PAM module for ssh-agent user authentication

Domenico Andreoli cavokz at gmail.com
Wed Jul 22 05:06:19 AEST 2020

On Tue, Jul 21, 2020 at 07:38:42PM +0200, Domenico Andreoli wrote:
> On Tue, Jul 21, 2020 at 10:01:04AM -0700, Peter Moody wrote:
> > > Having it available as part of openssh would be a useful bridgehead for
> > > educating users towards better solutions, when available, and anyway
> > > practically improve the security of the status quo.
> > 
> > I think that something like this might be a better fit in the
> > Linux-Pam repository.
> > 
> > Having done this before, my big worry was always, how does pam trust
> > the agent? being able to rw to an unix domain socket doesn't mean that
> Trusting the agent is the easy part, if it can sign the challenge.
> It's trusting the user who's behind it that is difficult.
> > the ssh-agent at the other end is owned by the user calling sudo. It's
> Oh! Being sudo setuid, it could happily read whatever SSH_AUTH_SOCK a
> malicious user would throw at it. Fantastic.
> > an approximation, and sometimes that approximation is (obviously)
> > fine. But it seems to me that for the general use-case, this is
> > stapling functionality to the agent that the protocol wasn't designed
> > to support.
> Indeed in the plain ssh scenario, the ssh client runs with the user's
> permissions.
> In the PAM module context, the safest assumption is that the module
> runs as root. How to ensure that a given SSH_AUTH_SOCK is really owned
> by the user seeking authentication is totally different story.

The only way I see to not allow any priviledge escalation is by checking
the owner and permissions of both socket and auth file.

Both need to be writable only to their owner. The socket needs to be
owned by the real user, not the effective one. The auth file needs to
be owned by the target user, the one pointed by PAM_USER, that the user
attempting the authentication intends to become.


rsa4096: 3B10 0CA1 8674 ACBA B4FE  FCD2 CE5B CF17 9960 DE13
ed25519: FFB4 0CC3 7F2E 091D F7DA  356E CC79 2832 ED38 CB05

More information about the openssh-unix-dev mailing list