On Tue, Jul 21, 2020 at 12:46:40AM -0400, Nico Kadel-Garcia wrote: > On Mon, Jul 20, 2020 at 9:28 PM Domenico Andreoli <cavokz@xxxxxxxxx> wrote: > > > > Hi, > > > > The main (and probably the only) use case of this PAM module is to let > > sudo authenticate users via their ssh-agent, therefore without having > > to type any password and without being tempted to use the NOPASSWD sudo > > option for such convenience. > > Why? In order to keep your original agent accessible, you'd have to > open up permissions to the socket to the other user without using > group membership, namely open it to to the world and maybe hiding it > by obscurity. Why wouldn't you simply put the public SSH key in the > target account, maybe restricting access to loclahost, and use "ssh -A > localhost -l targetaccount". Can sshd cache the credentials as sudo does? Or should I push the button of my Solo key every single time I want to become root? > > The principle is originally implemented by an existing module [0][1] > > and many pages that explain how to use it for such purpose can be > > found online. > > > > > > Why then this new implementation? > > > > A few reasons: > > - it's way smaller, more simple and easier to audit > > - it wants to remain as such > > - it reuses everything from openssh-portable; no novel, outdated or > > alternative crypto implementations > > - it's based on openssh-portable so it supports all the algorithms that > > ssh-agent does (eg. ecdsa-sk, ed25519-sk, pkcs#11, ... yuk!) > > Or you can avoid sudo altogether and keep it quite auditable by using > public key based access for the target accounts. sudo is not going away any time soon and neither ssh-agent, they need to coexist in the same toolbox and play well together. Dom -- rsa4096: 3B10 0CA1 8674 ACBA B4FE FCD2 CE5B CF17 9960 DE13 ed25519: FFB4 0CC3 7F2E 091D F7DA 356E CC79 2832 ED38 CB05 _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list