[RFC PATCH 0/4] PAM module for ssh-agent user authentication

Domenico Andreoli cavokz at gmail.com
Thu Jul 23 05:50:53 AEST 2020


On Tue, Jul 21, 2020 at 12:46:40AM -0400, Nico Kadel-Garcia wrote:
> On Mon, Jul 20, 2020 at 9:28 PM Domenico Andreoli <cavokz at gmail.com> wrote:
> >
> > Hi,
> >
> > The main (and probably the only) use case of this PAM module is to let
> > sudo authenticate users via their ssh-agent, therefore without having
> > to type any password and without being tempted to use the NOPASSWD sudo
> > option for such convenience.
> 
> Why? In order to keep your original agent accessible, you'd have to
> open up permissions to the socket to the other user without using
> group membership, namely open it to to the world and maybe hiding it
> by obscurity. Why wouldn't you simply put the public SSH key in the
> target account, maybe restricting access to loclahost, and use "ssh -A
> localhost -l targetaccount".

Can sshd cache the credentials as sudo does? Or should I push the button
of my Solo key every single time I want to become root?

> > The principle is originally implemented by an existing module [0][1]
> > and many pages that explain how to use it for such purpose can be
> > found online.
> >
> >
> > Why then this new implementation?
> >
> > A few reasons:
> > - it's way smaller, more simple and easier to audit
> > - it wants to remain as such
> > - it reuses everything from openssh-portable; no novel, outdated or
> >   alternative crypto implementations
> > - it's based on openssh-portable so it supports all the algorithms that
> >   ssh-agent does (eg. ecdsa-sk, ed25519-sk, pkcs#11, ... yuk!)
> 
> Or you can avoid sudo altogether and keep it quite auditable by using
> public key based access for the target accounts.

sudo is not going away any time soon and neither ssh-agent, they need
to coexist in the same toolbox and play well together.

Dom

-- 
rsa4096: 3B10 0CA1 8674 ACBA B4FE  FCD2 CE5B CF17 9960 DE13
ed25519: FFB4 0CC3 7F2E 091D F7DA  356E CC79 2832 ED38 CB05


More information about the openssh-unix-dev mailing list