pamsshagentauth-code

PAM auth with SSH agent

Go to file

Meutel a0dd02b3f5 Import from sourceforge svn		2016-07-10 19:28:38 +02:00
debian	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
dist	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
openbsd-compat	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
CONTRIBUTORS	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
LICENSE.OpenSSL	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
Makefile.in	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
OPENSSH_LICENSE	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
README	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
aclocal.m4	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
atomicio.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
atomicio.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
authfd.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
authfd.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
bufaux.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
bufbn.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
buffer.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
buffer.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
cipher.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
cleanup.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
compat.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
compat.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
config.guess	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
config.h.in	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
config.sub	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
configure	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
configure.ac	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
defines.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
entropy.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
entropy.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
fatal.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
get_command_line.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
get_command_line.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
identity.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
includes.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
install-sh	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
iterate_ssh_agent_keys.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
iterate_ssh_agent_keys.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
kex.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
key.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
key.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
log.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
log.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
match.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
misc.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
misc.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
mkinstalldirs	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
pam_ssh_agent_auth.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
pam_ssh_agent_auth.pod	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
pam_ssh_agent_auth.sudoers.conf	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
pam_static_macros.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
pam_user_authorized_keys.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
pam_user_authorized_keys.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
pam_user_key_allowed2.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
pam_user_key_allowed2.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
pathnames.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
platform.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
rsa.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
secure_filename.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
secure_filename.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
ssh-dss.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
ssh-rsa.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
ssh.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
ssh2.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
uidswap.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
uidswap.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
userauth_pubkey_from_id.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
userauth_pubkey_from_id.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
uuencode.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
uuencode.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
xmalloc.c	Import from sourceforge svn	2016-07-10 19:28:38 +02:00
xmalloc.h	Import from sourceforge svn	2016-07-10 19:28:38 +02:00

README

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

pam_ssh_agent_auth is a PAM module which permits PAM authentication via your
keyring in a forwarded ssh-agent.

Release 0.10.2 is stable, and has been tested on FreeBSD, Solaris 10, Solaris 11,
RHEL5, RHEL6, Debian Wheezy, Ubuntu 12.04 (LTS), Ubuntu 13.10,
and MacOS X 10.7.

This module can be used to provide authentication for anything run locally that
supports PAM. It was written specifically with the intention of permitting
authentication for sudo without password entry, and also has been proven useful
for use with su as an alternative to wheel.

It serves as middle ground between the two most common, and suboptimal
alternatives for large-scale system administration: allowing rootlogin via ssh,
or using NOPASSWD in sudoers. This module allows for ssh public-key
authentication, and it does this by leveraging an authentication mechanism you
are probably already using, ssh-agent.

There are caveats of course, ssh-agent forwarding has it’s own security risks
which must be carefully considered for your environment. In cases where there
are not untrustworthy intermediate servers, and you wish to retain traceability,
accountability, and required authentication for privileged command invocation,
the benefits should outweigh the risks. Release 0.10.2 can be downloaded from
SourceForge: https://sourceforge.net/project/showfiles.php?group_id=249556

If you encounter any issues with usability or security, please use the project's
SourceForge tracker:
https://sourceforge.net/tracker2/?group_id=249556&atid=1126337

Note that if you wish to use this for sudo, you will need a version of sudo that
preserves the env_keep environment during authentication; and ideally a version
incorporating my minor patch which ensures RUSER is set during PAM authentication.

sudo 1.6.8p12 does not work correctly with this PAM module, because it clears the
environment (even env_keep variables) prior to attempting PAM authentication.

sudo 1.7.2p1 or later is preferred, as it correctly sets PAM_RUSER for
authentication.

README Unescape Escape

README