The goal of this project is to provide a PAM authentication module determining the identity
of user based on a signature request and response sent via the ssh-agent protocol to a potentially
remote ssh-agent.
One scenario that this module can be used in is to grant escalated privileges on a remote
system with the sudo command where the identity of the user is confirmed by their ability
to provide a signature made with a local ssh-agent and a private key that never leaves the
designated hardware. I use the Secretive app on
macOS for this purpose.
This project is re-implementation of the pamsshagent_auth
module but does not share any code with that project. The eventual goal of this module is to be
functionally equivalent and a drop-in replacement for pam_ssh_agent_auth.
This project is currently in a usable state, and has been tested with Ubuntu 22.04. As of now, the path expansion patterns that pamsshagentauth provides are not implemented. In other words a single authorizedkeys file is expected to be used.
Since this is security sensitive software and a bug could easily result in undue privilege escalation, the main goal of this project is to be robust and easy to follow for would-be reviewers.
The implementation leans heavily on crates available in the Rust ecosystem that implements the different parts needed for the overall functionality, most notably the pam, ssh-key, and ssh-agent-client-rs crates. Using upstream libraries directly is intended to make it easier to ensure that implementation issues with security implication gets addressed in a timely manner. A secondary benefit is that it is easier to support a wide range of algorithms.
debuild -b to build a .deb package with the shared object and install it with dpkgdoas, to ensure that you have a different way of elevating your privileges than sudo.
You will need to add a permit line in /etc/doas.conf for it to workcommon-auth include in /etc/pam.d/sudo with auth required pam_ssh_agent.sosudo to not drop the SSH_AUTH_SOCK environment variable by
adding Defaults env_keep += "SSH_AUTH_SOCK to the file /etc/sudoers.d/ssh_agent_env/etc/security/authorized_keysPAM modules can be configured using space separated options after pam_ssh_agent.so in the applicable
configuration file in /etc/pam.d. pamsshagent currently understands the following options
debug This will increase log output to the AUTHPRIV syslog facilityfile=/file/name This will modify the file holding the authorized public keys instead of the
default /etc/security/authorized_keys.Licensed under either of the Apache License, Version 2.0 or the MIT license at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.