Re: pam_ssh_agent_auth on a Guix System? - Felix Lechner via Development of GNU Guix and the GNU System distribution.

all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

From: Felix Lechner via "Development of GNU Guix and the GNU System distribution." <guix-devel@gnu.org>
To: Giovanni Biscuolo <g@xelera.eu>
Cc: guix-devel@gnu.org
Subject: Re: pam_ssh_agent_auth on a Guix System?
Date: Tue, 30 May 2023 10:34:15 -0700	[thread overview]
Message-ID: <CAFHYt56TofLk1kEkNOP=P=KGrPUb=EGBYfkcEcpt0tAZ6HQY=w@mail.gmail.com> (raw)
In-Reply-To: <87sfbd7o3l.fsf@xelera.eu>

Hi Giovanni,

On Tue, May 30, 2023 at 9:59 AM Giovanni Biscuolo <g@xelera.eu> wrote:
>
> AFAIU pam_ssh_agent_auth https://pamsshagentauth.sourceforge.net/ is not
> already packaged in Guix, or am I missing something?

I was not able to find it, either.

> I'd like to execute sudo without having to set and enter a password [1]
> and that PAM module is needed

You could also add a line like this to your /etc/sudoers (but I don't
recommend it)

user_name ALL=(ALL) NOPASSWD:ALL

> is someone already using such a configuration in a Guix System?

Not quite. I added my public ssh key to root's authorized_keys. It's
different from what you are looking for but gives you a root prompt
with 'ssh root@localhost`. I did it because it's required for 'guix
deploy'.

Personally, I have not used the SSH agent, but it's an interesting
avenue. I use Kerberos instead, which is probably the gold standard
for distributed authentication. You are doing the right thing by
thinking about your options.

When playing with PAM, please remember that PAM can never elevate
privileges of its own process. It is a shared library that runs as
part of a privileged executable (often setuid root). PAM decides
whether someone hoping to use the executable is authorized to do so.

Kind regards
Felix

next prev parent reply	other threads:[~2023-05-30 17:35 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-30 16:58 pam_ssh_agent_auth on a Guix System? Giovanni Biscuolo
2023-05-30 17:34 ` Felix Lechner via Development of GNU Guix and the GNU System distribution. [this message]
2023-05-31  7:46   ` Giovanni Biscuolo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAFHYt56TofLk1kEkNOP=P=KGrPUb=EGBYfkcEcpt0tAZ6HQY=w@mail.gmail.com' \
    --to=guix-devel@gnu.org \
    --cc=felix.lechner@lease-up.com \
    --cc=g@xelera.eu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.