Re: git: d8560936e35c - main - security/pam_rssh: New port

From: Romain Tartière <>
Date: Wed, 22 Mar 2023 01:56:30 UTC
[Sending again form my address so that it reach

On Mon, Mar 20, 2023 at 09:33:14AM +0000, Matthew Seaman wrote:
> On 20/03/2023 03:50, Romain Tartière wrote:
> > The branch main has been updated by romain:
> > 
> > URL:
> > 
> > commit d8560936e35c4a0fa797431cbe6e234639df690b
> > Author:     Romain Tartière<>
> > AuthorDate: 2023-03-20 03:33:19 +0000
> > Commit:     Romain Tartière<>
> > CommitDate: 2023-03-20 03:49:50 +0000
> > 
> >      security/pam_rssh: New port
> >      
> >      This PAM module provides ssh-agent based authentication. The primary
> >      design goal is to avoid typing password when you sudo on remote servers.
> >      Instead, you can simply touch your hardware security key (e.g.
> >      Yubikey/Canokey) to fulfill user verification. The process is done by
> >      forwarding the remote authentication request to client-side ssh-agent as
> >      a signature request.
> Hmmm... I wonder if it mightn't be an idea to have a "see also" comment 
> in a port where there are other ports available that provide very 
> similar functionality?

I am not aware of such "See also" ATM, but that might make some sense.

> As far as I can tell, this does _exactly_ the same thing as 
> security/pam_ssh_agent_auth -- the principal difference being, pam_rssh 
> is written in rust, and pam_ssh_agent_auth is written in C.

Almost :-D  pam_ssh_agent_auth does not support the "new" OpenSSH -sk
keys [1] (keys that are hardware backed [2]).  There was some effort to
integrate his PAM module into openssh [3] but it has been abandoned.

With these new -sk keys, I am reconsidering my usage of sudo on remote
systems where I don't use passwords and where I would prefer some kind
of authorization.  pam_ssh_agent_auth was out of scope because
forwarding keys by default looked a terrible idea, but with the
requirement of physically touching a device to use a -sk key, forwarding
the agent to reasonably trusted systems looks more acceptable...



Romain Tartière <>
pgp: 8234 9A78 E7C0 B807 0B59  80FF BA4D 1D95 5112 336F (ID: 0x5112336F)
(plain text =non-HTML= PGP/GPG encrypted/signed e-mail much appreciated)