On Mon, Jul 20, 2020 at 9:28 PM Domenico Andreoli <cavokz@xxxxxxxxx> wrote: > > Hi, > > The main (and probably the only) use case of this PAM module is to let > sudo authenticate users via their ssh-agent, therefore without having > to type any password and without being tempted to use the NOPASSWD sudo > option for such convenience. Why? In order to keep your original agent accessible, you'd have to open up permissions to the socket to the other user without using group membership, namely open it to to the world and maybe hiding it by obscurity. Why wouldn't you simply put the public SSH key in the target account, maybe restricting access to loclahost, and use "ssh -A localhost -l targetaccount". > The principle is originally implemented by an existing module [0][1] > and many pages that explain how to use it for such purpose can be > found online. > > > Why then this new implementation? > > A few reasons: > - it's way smaller, more simple and easier to audit > - it wants to remain as such > - it reuses everything from openssh-portable; no novel, outdated or > alternative crypto implementations > - it's based on openssh-portable so it supports all the algorithms that > ssh-agent does (eg. ecdsa-sk, ed25519-sk, pkcs#11, ... yuk!) Or you can avoid sudo altogether and keep it quite auditable by using public key based access for the target accounts. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev