[RFC PATCH 0/4] PAM module for ssh-agent user authentication

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi,

The main (and probably the only) use case of this PAM module is to let
sudo authenticate users via their ssh-agent, therefore without having
to type any password and without being tempted to use the NOPASSWD sudo
option for such convenience.

The principle is originally implemented by an existing module [0][1]
and many pages that explain how to use it for such purpose can be
found online.


Why then this new implementation?

A few reasons:
- it's way smaller, more simple and easier to audit
- it wants to remain as such
- it reuses everything from openssh-portable; no novel, outdated or
  alternative crypto implementations
- it's based on openssh-portable so it supports all the algorithms that
  ssh-agent does (eg. ecdsa-sk, ed25519-sk, pkcs#11, ... yuk!)


Now, the natural place for this, I think, is right with openssh-portable.

Is there, maybe, by any chance, a way to merge it there?

This is a critical piece of software for those who use it and needs
to be well guarded. It has super healthy tests, the maintenance effort
can reimain low and easy.


A few things that are missing:
- man page
- installation
- support for multiple keys in the auth file


I'm also asking to the Linux PAM people to double-check my usage of PAM.

Regards,
Domenico

[0] https://github.com/jbeverly/pam_ssh_agent_auth
[1] https://sourceforge.net/projects/pamsshagentauth/

-- 
rsa4096: 3B10 0CA1 8674 ACBA B4FE  FCD2 CE5B CF17 9960 DE13
ed25519: FFB4 0CC3 7F2E 091D F7DA  356E CC79 2832 ED38 CB05
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux