Re: git: d8560936e35c - main - security/pam_rssh: New port

Reply: Matthew Seaman : "Re: git: d8560936e35c - main - security/pam_rssh: New port"
In reply to: Matthew Seaman : "Re: git: d8560936e35c - main - security/pam_rssh: New port"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Romain Tartière <romain_at_freebsd.org>
Date: Wed, 22 Mar 2023 01:56:30 UTC

[Sending again form my @FreeBSD.org address so that it reach
freebsd-ports@]

On Mon, Mar 20, 2023 at 09:33:14AM +0000, Matthew Seaman wrote:
> On 20/03/2023 03:50, Romain Tartière wrote:
> > The branch main has been updated by romain:
> > 
> > URL:https://cgit.FreeBSD.org/ports/commit/?id=d8560936e35c4a0fa797431cbe6e234639df690b
> > 
> > commit d8560936e35c4a0fa797431cbe6e234639df690b
> > Author:     Romain Tartière<romain@FreeBSD.org>
> > AuthorDate: 2023-03-20 03:33:19 +0000
> > Commit:     Romain Tartière<romain@FreeBSD.org>
> > CommitDate: 2023-03-20 03:49:50 +0000
> > 
> >      security/pam_rssh: New port
> >      
> >      This PAM module provides ssh-agent based authentication. The primary
> >      design goal is to avoid typing password when you sudo on remote servers.
> >      Instead, you can simply touch your hardware security key (e.g.
> >      Yubikey/Canokey) to fulfill user verification. The process is done by
> >      forwarding the remote authentication request to client-side ssh-agent as
> >      a signature request.
> 
> Hmmm... I wonder if it mightn't be an idea to have a "see also" comment 
> in a port where there are other ports available that provide very 
> similar functionality?

I am not aware of such "See also" ATM, but that might make some sense.

> As far as I can tell, this does _exactly_ the same thing as 
> security/pam_ssh_agent_auth -- the principal difference being, pam_rssh 
> is written in rust, and pam_ssh_agent_auth is written in C.

Almost :-D  pam_ssh_agent_auth does not support the "new" OpenSSH -sk
keys [1] (keys that are hardware backed [2]).  There was some effort to
integrate his PAM module into openssh [3] but it has been abandoned.

With these new -sk keys, I am reconsidering my usage of sudo on remote
systems where I don't use passwords and where I would prefer some kind
of authorization.  pam_ssh_agent_auth was out of scope because
forwarding keys by default looked a terrible idea, but with the
requirement of physically touching a device to use a -sk key, forwarding
the agent to reasonably trusted systems looks more acceptable...

Romain

References:
  1. https://github.com/jbeverly/pam_ssh_agent_auth/issues/23
  2. https://undeadly.org/cgi?action=article;sid=20191115064850
  3. https://github.com/tobhe/pam-ssh-agent-auth2/commit/262a4add32e265db12b842d200fe626d973543b7


-- 
Romain Tartière <romain@FreeBSD.org>  http://people.FreeBSD.org/~romain/
pgp: 8234 9A78 E7C0 B807 0B59  80FF BA4D 1D95 5112 336F (ID: 0x5112336F)
(plain text =non-HTML= PGP/GPG encrypted/signed e-mail much appreciated)