Hi, The main (and probably the only) use case of this PAM module is to let sudo authenticate users via their ssh-agent, therefore without having to type any password and without being tempted to use the NOPASSWD sudo option for such convenience. The principle is originally implemented by an existing module [0][1] and many pages that explain how to use it for such purpose can be found online. Why then this new implementation? A few reasons: - it's way smaller, more simple and easier to audit - it wants to remain as such - it reuses everything from openssh-portable; no novel, outdated or alternative crypto implementations - it's based on openssh-portable so it supports all the algorithms that ssh-agent does (eg. ecdsa-sk, ed25519-sk, pkcs#11, ... yuk!) Now, the natural place for this, I think, is right with openssh-portable. Is there, maybe, by any chance, a way to merge it there? This is a critical piece of software for those who use it and needs to be well guarded. It has super healthy tests, the maintenance effort can reimain low and easy. A few things that are missing: - man page - installation - support for multiple keys in the auth file I'm also asking to the Linux PAM people to double-check my usage of PAM. Regards, Domenico [0] https://github.com/jbeverly/pam_ssh_agent_auth [1] https://sourceforge.net/projects/pamsshagentauth/ -- rsa4096: 3B10 0CA1 8674 ACBA B4FE FCD2 CE5B CF17 9960 DE13 ed25519: FFB4 0CC3 7F2E 091D F7DA 356E CC79 2832 ED38 CB05 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
