39 lines
2.0 KiB
Plaintext
39 lines
2.0 KiB
Plaintext
|
pam_ssh_agent_auth is a PAM module which permits PAM authentication via your
|
|||
|
|
keyring in a forwarded ssh-agent.
|
|||
|
|
|
|||
|
|
Release 0.10.2 is stable, and has been tested on FreeBSD, Solaris 10, Solaris 11,
|
|||
|
|
RHEL5, RHEL6, Debian Wheezy, Ubuntu 12.04 (LTS), Ubuntu 13.10,
|
|||
|
|
and MacOS X 10.7.
|
|||
|
|
|
|||
|
|
This module can be used to provide authentication for anything run locally that
|
|||
|
|
supports PAM. It was written specifically with the intention of permitting
|
|||
|
|
authentication for sudo without password entry, and also has been proven useful
|
|||
|
|
for use with su as an alternative to wheel.
|
|||
|
|
|
|||
|
|
It serves as middle ground between the two most common, and suboptimal
|
|||
|
|
alternatives for large-scale system administration: allowing rootlogin via ssh,
|
|||
|
|
or using NOPASSWD in sudoers. This module allows for ssh public-key
|
|||
|
|
authentication, and it does this by leveraging an authentication mechanism you
|
|||
|
|
are probably already using, ssh-agent.
|
|||
|
|
|
|||
|
|
There are caveats of course, ssh-agent forwarding has it’s own security risks
|
|||
|
|
which must be carefully considered for your environment. In cases where there
|
|||
|
|
are not untrustworthy intermediate servers, and you wish to retain traceability,
|
|||
|
|
accountability, and required authentication for privileged command invocation,
|
|||
|
|
the benefits should outweigh the risks. Release 0.10.2 can be downloaded from
|
|||
|
|
SourceForge: https://sourceforge.net/project/showfiles.php?group_id=249556
|
|||
|
|
|
|||
|
|
If you encounter any issues with usability or security, please use the project's
|
|||
|
|
SourceForge tracker:
|
|||
|
|
https://sourceforge.net/tracker2/?group_id=249556&atid=1126337
|
|||
|
|
|
|||
|
|
Note that if you wish to use this for sudo, you will need a version of sudo that
|
|||
|
|
preserves the env_keep environment during authentication; and ideally a version
|
|||
|
|
incorporating my minor patch which ensures RUSER is set during PAM authentication.
|
|||
|
|
|
|||
|
|
sudo 1.6.8p12 does not work correctly with this PAM module, because it clears the
|
|||
|
|
environment (even env_keep variables) prior to attempting PAM authentication.
|
|||
|
|
|
|||
|
|
sudo 1.7.2p1 or later is preferred, as it correctly sets PAM_RUSER for
|
|||
|
|
authentication.
|