[RFC PATCH 0/4] PAM module for ssh-agent user authentication

Michael Ströder michael at stroeder.com
Wed Jul 22 03:27:41 AEST 2020


On 7/21/20 7:01 PM, Peter Moody wrote:
>> Having it available as part of openssh would be a useful bridgehead for
>> educating users towards better solutions, when available, and anyway
>> practically improve the security of the status quo.
> 
> I think that something like this might be a better fit in the
> Linux-Pam repository.
> 
> Having done this before, my big worry was always, how does pam trust
> the agent? being able to rw to an unix domain socket doesn't mean that
> the ssh-agent at the other end is owned by the user calling sudo. It's
> an approximation, and sometimes that approximation is (obviously)
> fine. But it seems to me that for the general use-case, this is
> stapling functionality to the agent that the protocol wasn't designed
> to support.

Agreed.

AFAICS the client also has to enable key agent forwarding. Isn't that a
risk too in case the server is hacked?

Ciao, Michael.


More information about the openssh-unix-dev mailing list