On 21/07/2020 05:46, Nico Kadel-Garcia wrote:
On Mon, Jul 20, 2020 at 9:28 PM Domenico Andreoli<cavokz@xxxxxxxxx> wrote:
Hi,
The main (and probably the only) use case of this PAM module is to let
sudo authenticate users via their ssh-agent, therefore without having
to type any password and without being tempted to use the NOPASSWD sudo
option for such convenience.
Why? In order to keep your original agent accessible, you'd have to
open up permissions to the socket to the other user without using
group membership, namely open it to to the world and maybe hiding it
by obscurity. Why wouldn't you simply put the public SSH key in the
target account, maybe restricting access to loclahost, and use "ssh -A
localhost -l targetaccount".
I don't think the target user requires access to the agent socket - that
is, it's normal to be able to sudo from user A to user B, without being
able to sudo in turn from user B to user C. In the case where user B is
a daemon account, it probably has no sudo rights anyway.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev