[RFC PATCH 0/4] PAM module for ssh-agent user authentication

Brian Candler b.candler at pobox.com
Tue Jul 21 18:20:50 AEST 2020


On 21/07/2020 05:46, Nico Kadel-Garcia wrote:
> On Mon, Jul 20, 2020 at 9:28 PM Domenico Andreoli<cavokz at gmail.com>  wrote:
>> Hi,
>>
>> The main (and probably the only) use case of this PAM module is to let
>> sudo authenticate users via their ssh-agent, therefore without having
>> to type any password and without being tempted to use the NOPASSWD sudo
>> option for such convenience.
> Why? In order to keep your original agent accessible, you'd have to
> open up permissions to the socket to the other user without using
> group membership, namely open it to to the world and maybe hiding it
> by obscurity. Why wouldn't you simply put the public SSH key in the
> target account, maybe restricting access to loclahost, and use "ssh -A
> localhost -l targetaccount".
>
I don't think the target user requires access to the agent socket - that 
is, it's normal to be able to sudo from user A to user B, without being 
able to sudo in turn from user B to user C.  In the case where user B is 
a daemon account, it probably has no sudo rights anyway.



More information about the openssh-unix-dev mailing list