> Having it available as part of openssh would be a useful bridgehead for > educating users towards better solutions, when available, and anyway > practically improve the security of the status quo. I think that something like this might be a better fit in the Linux-Pam repository. Having done this before, my big worry was always, how does pam trust the agent? being able to rw to an unix domain socket doesn't mean that the ssh-agent at the other end is owned by the user calling sudo. It's an approximation, and sometimes that approximation is (obviously) fine. But it seems to me that for the general use-case, this is stapling functionality to the agent that the protocol wasn't designed to support. anyway, my $0.02 Cheers, peter _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
