* pam_ssh_agent_auth on a Guix System?
@ 2023-05-30 16:58 Giovanni Biscuolo
2023-05-30 17:34 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
0 siblings, 1 reply; 3+ messages in thread
From: Giovanni Biscuolo @ 2023-05-30 16:58 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 571 bytes --]
Hello,
AFAIU pam_ssh_agent_auth https://pamsshagentauth.sourceforge.net/ is not
already packaged in Guix, or am I missing something?
I'd like to execute sudo without having to set and enter a password [1]
and that PAM module is needed
...then also a service to properly setup /etc/pam.d/sudo and
/etc/sudoers
is someone already using such a configuration in a Guix System?
Thanks, Gio'
[1] is it safer or more efficient to have users authentication without
password but only with a SSH key?
--
Giovanni Biscuolo
Xelera IT Infrastructures
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 849 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: pam_ssh_agent_auth on a Guix System?
2023-05-30 16:58 pam_ssh_agent_auth on a Guix System? Giovanni Biscuolo
@ 2023-05-30 17:34 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2023-05-31 7:46 ` Giovanni Biscuolo
0 siblings, 1 reply; 3+ messages in thread
From: Felix Lechner via Development of GNU Guix and the GNU System distribution. @ 2023-05-30 17:34 UTC (permalink / raw)
To: Giovanni Biscuolo; +Cc: guix-devel
Hi Giovanni,
On Tue, May 30, 2023 at 9:59 AM Giovanni Biscuolo <g@xelera.eu> wrote:
>
> AFAIU pam_ssh_agent_auth https://pamsshagentauth.sourceforge.net/ is not
> already packaged in Guix, or am I missing something?
I was not able to find it, either.
> I'd like to execute sudo without having to set and enter a password [1]
> and that PAM module is needed
You could also add a line like this to your /etc/sudoers (but I don't
recommend it)
user_name ALL=(ALL) NOPASSWD:ALL
> is someone already using such a configuration in a Guix System?
Not quite. I added my public ssh key to root's authorized_keys. It's
different from what you are looking for but gives you a root prompt
with 'ssh root@localhost`. I did it because it's required for 'guix
deploy'.
Personally, I have not used the SSH agent, but it's an interesting
avenue. I use Kerberos instead, which is probably the gold standard
for distributed authentication. You are doing the right thing by
thinking about your options.
When playing with PAM, please remember that PAM can never elevate
privileges of its own process. It is a shared library that runs as
part of a privileged executable (often setuid root). PAM decides
whether someone hoping to use the executable is authorized to do so.
Kind regards
Felix
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: pam_ssh_agent_auth on a Guix System?
2023-05-30 17:34 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
@ 2023-05-31 7:46 ` Giovanni Biscuolo
0 siblings, 0 replies; 3+ messages in thread
From: Giovanni Biscuolo @ 2023-05-31 7:46 UTC (permalink / raw)
To: Felix Lechner; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 2047 bytes --]
Hi Felix,
Felix Lechner <felix.lechner@lease-up.com> writes:
[...]
>> I'd like to execute sudo without having to set and enter a password [1]
>> and that PAM module is needed
well, the above description is misleading :-(
> You could also add a line like this to your /etc/sudoers (but I don't
> recommend it)
>
> user_name ALL=(ALL) NOPASSWD:ALL
actually I don't want to disable authentication, I'd like to:
--8<---------------cut here---------------start------------->8---
permit anyone who has an SSH_AUTH_SOCK that manages the private key
matching a public key in /etc/security/authorized_keys to execute sudo
without having to enter a password. Note that the ssh-agent listening to
SSH_AUTH_SOCK can either be local, or forwarded.
Unlike NOPASSWD, this still requires an authentication, it's just that
the authentication is provided by ssh-agent, and not password entry.
--8<---------------cut here---------------end--------------->8---
(from https://pamsshagentauth.sourceforge.net/)
>> is someone already using such a configuration in a Guix System?
>
> Not quite. I added my public ssh key to root's authorized_keys. It's
> different from what you are looking for but gives you a root prompt
> with 'ssh root@localhost`.
mumble... I wonder if this works with a forwarded ssh-agent (this means
that you don't need your private ssh key on the remote host to do that
ssh)
> I did it because it's required for 'guix deploy'.
>
> Personally, I have not used the SSH agent, but it's an interesting
> avenue. I use Kerberos instead, which is probably the gold standard
> for distributed authentication. You are doing the right thing by
> thinking about your options.
I never used kerberos (I should learn it) but if possible I'd like to
avoid to install and configure extra services; ssh is ubiquitous and
installing and configuring an ssh-agent on the client /maybe/ is easier
than a kerberos client
[...]
Thanks! Gio'
--
Giovanni Biscuolo
Xelera IT Infrastructures
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 849 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-05-31 7:47 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-30 16:58 pam_ssh_agent_auth on a Guix System? Giovanni Biscuolo
2023-05-30 17:34 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2023-05-31 7:46 ` Giovanni Biscuolo
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.