From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp11.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms9.migadu.com with LMTPS
	id QLuFJO0zdmTneAEASxT56A
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 30 May 2023 19:35:41 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp11.migadu.com with LMTPS
	id gB1mJO0zdmRvhAEA9RJhRA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 30 May 2023 19:35:41 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 4EF672FEB3
	for <larch@yhetil.org>; Tue, 30 May 2023 19:35:41 +0200 (CEST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces@gnu.org>)
	id 1q43FR-0006Bj-P4; Tue, 30 May 2023 13:35:05 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <felix.lechner@lease-up.com>)
 id 1q43FP-0006BH-KD
 for guix-devel@gnu.org; Tue, 30 May 2023 13:35:03 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256)
 (Exim 4.90_1) (envelope-from <felix.lechner@lease-up.com>)
 id 1q43FM-0004zl-44
 for guix-devel@gnu.org; Tue, 30 May 2023 13:35:02 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=d9k/8pRtD+Z2vWo
 kndFIMFGYHMVuifaAuVAzro3Gjxw=;
 h=cc:to:subject:date:from:in-reply-to:
 references; d=lease-up.com; b=gXNBIvGV7jOjoR8bMM4Lx23KD/QePocCz+Nh9rXN
 Y65HyCkGk/JpbV+wmzYNZsGDRLvxbhHfSfdiNhJ6JYEQ3cklCaEDMmah7ZTM86QCbfZaSC
 0WYgrKeWCNDFRBvsSDm+Tg2kE4tsh7czhulNLcBD4MPQH7mwdaoe76TxoMo8k=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id c19fea90
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO)
 for <guix-devel@gnu.org>; Tue, 30 May 2023 17:34:54 +0000 (UTC)
Received: by mail-lj1-f182.google.com with SMTP id
 38308e7fff4ca-2af7081c9ebso51108131fa.1
 for <guix-devel@gnu.org>; Tue, 30 May 2023 10:34:53 -0700 (PDT)
X-Gm-Message-State: AC+VfDzyf7KvKPYMYPYfTSFSjxaVzz5wRP5QmSldEgYvA9BuuSoYUcZm
 XrfAfTaqpcnOQ0HUfA2AJD9tdFJPEVj/NqvTsyg=
X-Google-Smtp-Source: ACHHUZ5k66idFt6FxDeVHh4q6j0eCGpI/Sm4UORQd7RyCrzXQ3x56qc4qyCOnt0+pfqjZBOdMFecrLGRfs6WmA1Sej4=
X-Received: by 2002:a2e:3a04:0:b0:2b0:790e:95ab with SMTP id
 h4-20020a2e3a04000000b002b0790e95abmr1220781lja.31.1685468091600; Tue, 30 May
 2023 10:34:51 -0700 (PDT)
MIME-Version: 1.0
References: <87sfbd7o3l.fsf@xelera.eu>
In-Reply-To: <87sfbd7o3l.fsf@xelera.eu>
Date: Tue, 30 May 2023 10:34:15 -0700
X-Gmail-Original-Message-ID: <CAFHYt56TofLk1kEkNOP=P=KGrPUb=EGBYfkcEcpt0tAZ6HQY=w@mail.gmail.com>
Message-ID: <CAFHYt56TofLk1kEkNOP=P=KGrPUb=EGBYfkcEcpt0tAZ6HQY=w@mail.gmail.com>
Subject: Re: pam_ssh_agent_auth on a Guix System?
To: Giovanni Biscuolo <g@xelera.eu>
Cc: guix-devel@gnu.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=208.82.101.137;
 envelope-from=felix.lechner@lease-up.com; helo=sail-ipv4.us-core.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Reply-to:  Felix Lechner <felix.lechner@lease-up.com>
From:  Felix Lechner via "Development of GNU Guix and the GNU System distribution."
 <guix-devel@gnu.org>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: guix-devel-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1685468141; a=rsa-sha256; cv=none;
	b=h5wpIglsE/xvL7xTvm2ZVCI4lmS+cLHpNZbdk/rEP+1m+UOIW8ivnFElx0Jhfs58Tt2S7I
	xGh8SXu0zo04/WHk6yPMK/PLKU1YKMQr++NTOFR0rWvGBq4RReD8Du73Sxx8E6REDs7qnE
	obCbDmI1grlqJezX7ujY6PkS8y3G7iL9rZ/AzgZiWNZj9UqWKyOuQT2H86aE5FJnFKu7jc
	zwO8/+U2oFEys08BmCAR1CezGODuNGl5/8a+Pmu9qxdKl3CBD5i+5AboCT4aQlr+H0trCp
	SGP1+7otHO3K3FZSFyyP6+bfh9D1gp0kMWzD/G9Mc/+MeKn56z/xmK8t0i0vjQ==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b=gXNBIvGV;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1685468141;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=d9k/8pRtD+Z2vWokndFIMFGYHMVuifaAuVAzro3Gjxw=;
	b=XPBuPxr+TJYYNvOhO9BYcxTjRomNaTmCCXRl6Ns59RHWnm/oaZ52iUkVIL14OCYZYOGWrX
	WT5U8i91ZthHguZbPC3QlahVnF/E1+m2uPRRh8WsSwxic9RhPWKT4y4jSPSSsLIo+Gg5ch
	X/eoAx0XnnzQ8iDNhNvCBRwYlPfbD7W7HA7Vkm1VuFpf/hrIgmtYtKxFKm94fLinfz5Epv
	AMFnSwuj5kx2PWDM1Vb2vHwn0JYHpGnIPtdOmFIaZnYAEsTm8GK4Auf60MlVQHOWO1tQUy
	5KtWCBtGyf8e/WmeKr92DPtPDzHhk0qxKhF4RAU6B/YAZSsnzXq0pVA1BXGtiQ==
X-Migadu-Scanner: scn1.migadu.com
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b=gXNBIvGV;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Spam-Score: -0.94
X-Spam-Score: -0.94
X-Migadu-Queue-Id: 4EF672FEB3
X-TUID: RtPYk3ZbiAkX

Hi Giovanni,

On Tue, May 30, 2023 at 9:59=E2=80=AFAM Giovanni Biscuolo <g@xelera.eu> wro=
te:
>
> AFAIU pam_ssh_agent_auth https://pamsshagentauth.sourceforge.net/ is not
> already packaged in Guix, or am I missing something?

I was not able to find it, either.

> I'd like to execute sudo without having to set and enter a password [1]
> and that PAM module is needed

You could also add a line like this to your /etc/sudoers (but I don't
recommend it)

user_name ALL=3D(ALL) NOPASSWD:ALL

> is someone already using such a configuration in a Guix System?

Not quite. I added my public ssh key to root's authorized_keys. It's
different from what you are looking for but gives you a root prompt
with 'ssh root@localhost`. I did it because it's required for 'guix
deploy'.

Personally, I have not used the SSH agent, but it's an interesting
avenue. I use Kerberos instead, which is probably the gold standard
for distributed authentication. You are doing the right thing by
thinking about your options.

When playing with PAM, please remember that PAM can never elevate
privileges of its own process. It is a shared library that runs as
part of a privileged executable (often setuid root). PAM decides
whether someone hoping to use the executable is authorized to do so.

Kind regards
Felix