I wrote something a lot like this when I was at uber https://github.com/pmoody-/pam-ussh (the uber version is here: https://github.com/uber/pam-ussh) On Mon, Jul 20, 2020 at 6:29 PM Domenico Andreoli <cavokz@xxxxxxxxx> wrote: > > Hi, > > The main (and probably the only) use case of this PAM module is to let > sudo authenticate users via their ssh-agent, therefore without having > to type any password and without being tempted to use the NOPASSWD sudo > option for such convenience. > > The principle is originally implemented by an existing module [0][1] > and many pages that explain how to use it for such purpose can be > found online. > > > Why then this new implementation? > > A few reasons: > - it's way smaller, more simple and easier to audit > - it wants to remain as such > - it reuses everything from openssh-portable; no novel, outdated or > alternative crypto implementations > - it's based on openssh-portable so it supports all the algorithms that > ssh-agent does (eg. ecdsa-sk, ed25519-sk, pkcs#11, ... yuk!) > > > Now, the natural place for this, I think, is right with openssh-portable. > > Is there, maybe, by any chance, a way to merge it there? > > This is a critical piece of software for those who use it and needs > to be well guarded. It has super healthy tests, the maintenance effort > can reimain low and easy. > > > A few things that are missing: > - man page > - installation > - support for multiple keys in the auth file > > > I'm also asking to the Linux PAM people to double-check my usage of PAM. > > Regards, > Domenico > > [0] https://github.com/jbeverly/pam_ssh_agent_auth > [1] https://sourceforge.net/projects/pamsshagentauth/ > > -- > rsa4096: 3B10 0CA1 8674 ACBA B4FE FCD2 CE5B CF17 9960 DE13 > ed25519: FFB4 0CC3 7F2E 091D F7DA 356E CC79 2832 ED38 CB05 > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev