From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id 6CpVEJX7dmTNfQEASxT56A (envelope-from ) for ; Wed, 31 May 2023 09:47:33 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id eItBEJX7dmT6BwEAauVa8A (envelope-from ) for ; Wed, 31 May 2023 09:47:33 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1EA492A4A1 for ; Wed, 31 May 2023 09:47:33 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1q4GXp-0000VT-BV; Wed, 31 May 2023 03:46:57 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q4GXn-0000UD-1Y for guix-devel@gnu.org; Wed, 31 May 2023 03:46:55 -0400 Received: from ns13.heimat.it ([46.4.214.66]) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1q4GXl-0001aV-2S for guix-devel@gnu.org; Wed, 31 May 2023 03:46:54 -0400 Received: from localhost (ip6-localhost [127.0.0.1]) by ns13.heimat.it (Postfix) with ESMTP id 7076B30022F; Wed, 31 May 2023 07:46:50 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it Received: from ns13.heimat.it ([127.0.0.1]) by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lEgynxqnhOii; Wed, 31 May 2023 07:46:48 +0000 (UTC) Received: from bourrache.mug.xelera.it (unknown [93.56.171.217]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ns13.heimat.it (Postfix) with ESMTPSA id A8B1A30022D; Wed, 31 May 2023 07:46:48 +0000 (UTC) Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14]) by bourrache.mug.xelera.it (Postfix) with SMTP id 3E3982679F73; Wed, 31 May 2023 09:46:48 +0200 (CEST) Received: (nullmailer pid 6489 invoked by uid 1000); Wed, 31 May 2023 07:46:47 -0000 From: Giovanni Biscuolo To: Felix Lechner Cc: guix-devel@gnu.org Subject: Re: pam_ssh_agent_auth on a Guix System? In-Reply-To: Organization: Xelera.eu References: <87sfbd7o3l.fsf@xelera.eu> Date: Wed, 31 May 2023 09:46:47 +0200 Message-ID: <87pm6h6izc.fsf@xelera.eu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=46.4.214.66; envelope-from=g@xelera.eu; helo=ns13.heimat.it X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1685519253; a=rsa-sha256; cv=none; b=GkUiYvCiiKOL7xOxvyPJl8MeSNvE7w1cabjo0/AdvZ/zvEDkvlRNcnEew2+5vTHBnkNHma xXeaXiMYbWbzgXTxVfLR1lqsIMKlB4euZItVSg8d6Hr3JmL9SGjGTMt+UiScr0trhS/xGT SoWagQJAyRG8ba6TXs/vMb/UnshePqKMu7QpuEy/v8Il08PN2PcS/NQOutarBz7HMr/w6V H+ErbAFfSmb+zXnje7UPAs+wt4t6OzaUrRtEovdlIsaKW0bBuuoWrvJ/wK73OhUkMo4IEP lDOR6JsdgxZ3D07hDorNxVjV6W/oo2kUXk7HaV2em5gUlrtN/yi1KD/1B7sdzQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1685519253; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=PXBWGgM/UkB/JAdjyfaWTe7FLH1y090MJrLCHyMvmq0=; b=qEsaC2ML+fgHoSV8kRp6WYjtwQ9ydj5qZPm8UlBmvjQYIjTdPhVCv/P+3G4TZ2Np8dn/R+ TglWFUJL943i2wF9vctIZ7dzXf9RIsepaHYQHJbjuLGzduaQOIM9MbeiCnqPzr8m1zw9dl TACR8288ClzliP8RlPT6Ll+5bjGxsvZT0TSb3NQWLPq3sOOqY0N3EsZ1FdCyd020i7Lv4P 1v7VrPL85uGw/8hHpHUmGsFyjyyn96zOYk1z35qRSgW3bJDRYdDtFpnjY+VU6vfi7iC5cm TH43UYbiM3tSFCfRn2cAaJJ8+ZSSkOOEAngOUnP3CwN3DSJPfAj8i626z6iDBA== Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Scanner: scn0.migadu.com X-Migadu-Spam-Score: -4.05 X-Spam-Score: -4.05 X-Migadu-Queue-Id: 1EA492A4A1 X-TUID: lWHhJsyQHhX+ --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Felix, Felix Lechner writes: [...] >> I'd like to execute sudo without having to set and enter a password [1] >> and that PAM module is needed well, the above description is misleading :-( > You could also add a line like this to your /etc/sudoers (but I don't > recommend it) > > user_name ALL=3D(ALL) NOPASSWD:ALL actually I don't want to disable authentication, I'd like to: =2D-8<---------------cut here---------------start------------->8--- permit anyone who has an SSH_AUTH_SOCK that manages the private key matching a public key in /etc/security/authorized_keys to execute sudo without having to enter a password. Note that the ssh-agent listening to SSH_AUTH_SOCK can either be local, or forwarded. Unlike NOPASSWD, this still requires an authentication, it's just that the authentication is provided by ssh-agent, and not password entry. =2D-8<---------------cut here---------------end--------------->8--- (from https://pamsshagentauth.sourceforge.net/) >> is someone already using such a configuration in a Guix System? > > Not quite. I added my public ssh key to root's authorized_keys. It's > different from what you are looking for but gives you a root prompt > with 'ssh root@localhost`. mumble... I wonder if this works with a forwarded ssh-agent (this means that you don't need your private ssh key on the remote host to do that ssh) > I did it because it's required for 'guix deploy'. > > Personally, I have not used the SSH agent, but it's an interesting > avenue. I use Kerberos instead, which is probably the gold standard > for distributed authentication. You are doing the right thing by > thinking about your options. I never used kerberos (I should learn it) but if possible I'd like to avoid to install and configure extra services; ssh is ubiquitous and installing and configuring an ssh-agent on the client /maybe/ is easier than a kerberos client [...] Thanks! Gio' =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmR2+2cMHGdAeGVsZXJh LmV1AAoJENN9DqfOzDkSCxsQAMxHAhtI8m/97ktb1gImL4ozbIjkFixXA2qNU5ax MNGI15Z0FW0OdJ+aM5xShBiXyPErRzMTjsZIG5v8UCSgk77ow1OToqsANVfml+Sy Ed1WQ2shQscPxuJbiwnpnfzZNwk9gZyMeouykVnnJo6NV80HVweUMg0LgHQ734Ac VPuRcQq1QXkupwVDUMlspBDG2F+Te/EH2i2DxJeGPBBxSpArUVXn90+MJlEJi2Ti O8j8r8aFu+nYE4C+Ik4VDCYoZ0UhIQNOJOU1NPQCipjwyjLnUEWBLsTqOhI9IZaS XA3dkaatjw/+DBz9nXSJsAIkzFN56/GrjSBBSGvgpS8f4l6SEOHjTBFnnT6VpyOR 1dUNzVygosAG4JowfkjyseOqt/aKT1XyD6EuqmZD1qBMcvY8TwkRwhZjA9W4t8bl De1XhqEA0SaRljcBT7bSKtYAF3NfUmyKWRQEoda47QVnLfH5kXuqZcQX7GHmzjTK fc1KVaiONwiU7UK5/17koZru5LNlaowvGox2dG9tvHj/Jn2BsKZ1I983XMa5YyXd SeaxXNSj/BEwoaXxzWgVZlppH0tPuTrO4ngPRjv2m5sh8ODcg7UbBQpDPtvlAJ0Q u4qDG5faov0e4iJ4lxNnQ6dJWxR79UrVsakkKmWxC3VP/8UdQiTlEJn6lUz4wTwj QJD5 =wJQF -----END PGP SIGNATURE----- --=-=-=--