Date: Tue, 21 Mar 2023 15:56:30 -1000 From: Romain =?iso-8859-1?Q?Tarti=E8re?= <romain@freebsd.org> To: Matthew Seaman <matthew@freebsd.org> Cc: FreeBSD Ports ML <freebsd-ports@freebsd.org> Subject: Re: git: d8560936e35c - main - security/pam_rssh: New port Message-ID: <ZBpgUnxyeIU3O5w2@blogreen.org> In-Reply-To: <7d33a04d-1c5c-d212-fb30-a6a23b6cb75f@FreeBSD.org> References: <202303200350.32K3oX6Y014089@gitrepo.freebsd.org> <7d33a04d-1c5c-d212-fb30-a6a23b6cb75f@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--5MgTqqYnm/IRjyLm Content-Type: text/plain; charset=iso-8859-1; protected-headers=v1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Date: Tue, 21 Mar 2023 15:56:30 -1000 From: Romain =?iso-8859-1?Q?Tarti=E8re?= <romain@freebsd.org> To: Matthew Seaman <matthew@freebsd.org> Cc: FreeBSD Ports ML <freebsd-ports@freebsd.org> Subject: Re: git: d8560936e35c - main - security/pam_rssh: New port [Sending again form my @FreeBSD.org address so that it reach freebsd-ports@] On Mon, Mar 20, 2023 at 09:33:14AM +0000, Matthew Seaman wrote: > On 20/03/2023 03:50, Romain Tarti=E8re wrote: > > The branch main has been updated by romain: > >=20 > > URL:https://cgit.FreeBSD.org/ports/commit/?id=3Dd8560936e35c4a0fa797431= cbe6e234639df690b > >=20 > > commit d8560936e35c4a0fa797431cbe6e234639df690b > > Author: Romain Tarti=E8re<romain@FreeBSD.org> > > AuthorDate: 2023-03-20 03:33:19 +0000 > > Commit: Romain Tarti=E8re<romain@FreeBSD.org> > > CommitDate: 2023-03-20 03:49:50 +0000 > >=20 > > security/pam_rssh: New port > > =20 > > This PAM module provides ssh-agent based authentication. The prima= ry > > design goal is to avoid typing password when you sudo on remote se= rvers. > > Instead, you can simply touch your hardware security key (e.g. > > Yubikey/Canokey) to fulfill user verification. The process is done= by > > forwarding the remote authentication request to client-side ssh-ag= ent as > > a signature request. >=20 > Hmmm... I wonder if it mightn't be an idea to have a "see also" comment= =20 > in a port where there are other ports available that provide very=20 > similar functionality? I am not aware of such "See also" ATM, but that might make some sense. > As far as I can tell, this does _exactly_ the same thing as=20 > security/pam_ssh_agent_auth -- the principal difference being, pam_rssh= =20 > is written in rust, and pam_ssh_agent_auth is written in C. Almost :-D pam_ssh_agent_auth does not support the "new" OpenSSH -sk keys [1] (keys that are hardware backed [2]). There was some effort to integrate his PAM module into openssh [3] but it has been abandoned. With these new -sk keys, I am reconsidering my usage of sudo on remote systems where I don't use passwords and where I would prefer some kind of authorization. pam_ssh_agent_auth was out of scope because forwarding keys by default looked a terrible idea, but with the requirement of physically touching a device to use a -sk key, forwarding the agent to reasonably trusted systems looks more acceptable... Romain References: 1. https://github.com/jbeverly/pam_ssh_agent_auth/issues/23 2. https://undeadly.org/cgi?action=3Darticle;sid=3D20191115064850 3. https://github.com/tobhe/pam-ssh-agent-auth2/commit/262a4add32e265db12= b842d200fe626d973543b7 --=20 Romain Tarti=E8re <romain@FreeBSD.org> http://people.FreeBSD.org/~romain/ pgp: 8234 9A78 E7C0 B807 0B59 80FF BA4D 1D95 5112 336F (ID: 0x5112336F) (plain text =3Dnon-HTML=3D PGP/GPG encrypted/signed e-mail much appreciated) --5MgTqqYnm/IRjyLm Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAABCAAdFiEEgjSaeOfAuAcLWYD/uk0dlVESM28FAmQaYE4ACgkQuk0dlVES M2+FPgv/TyU6nkCikZhUxW2SEuBNb/3bRp+5W+zjIAz6kPa4JcQ3OS75r6zZd67M s2pmawC9VRW27iUtbKGIR7SD1SlsFzDFIlGLuM8XVaGjmQgTOEVXH/hf3N/yC12/ 64i/tduGjEDgCpzq9SX6adxuHMoky7ufCcpCXUmOkuMkg3BM37IV4GEdvupIifW4 cyXtwhabzsFtP926csw+zRupLs5TNuwTCvKoCa/+d5Hctc5TIJx84EF3q1xJ/2me 7D2+aCfsaQpGXGG+HTEDjymckE0nyUneQW1jaNY184NHvzOUk4R/AK45IBwQ2Vve 56gBPS+6l9GptghDOGWwYP5hJ5JzmpAGEUbxrPrFKHZm8FpmVjZTX9yBdUGk1BG5 +0U7/8aSEqsWQGJ1tPkZRQgJKCqZDLArBjUwE9GbkYDaEImVC19ASRMYgSuYz9fj QsF3ix2k64GyYKzxjg8mS/0vOXYTbaN3co51fkNjIBbIJOl7rMrIOs9DcGuJpN3v XgUu0tjO =q6aX -----END PGP SIGNATURE----- --5MgTqqYnm/IRjyLm--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ZBpgUnxyeIU3O5w2>