pam_ssh_agent_auth icon indicating copy to clipboard operation
pam_ssh_agent_auth copied to clipboard

Published 20 hours ago verified publisher icon jbeverly

Support FIDO/U2F ecdsa-sk and ed25519-sk ssh keys

Open srstsavage opened this issue 4 years ago • 10 comments

Support for the new ecdsa-sk and ed25519-sk key types would be awesome.

srstsavage avatar May 04 '20 20:05 srstsavage

To help those Googling for this issue, here's the exact text of the error I get (which I'm fairly certain is caused by this issue):

pam_ssh_agent_auth: error: key_from_blob: remaining bytes in key blob 89

virtualdxs avatar May 27 '20 19:05 virtualdxs

I've been playing around with using pam_ssh_agent_auth for pam authentication of sudo over an ssh connection with my yubikey. Added KEY_ECDSA_SK type, and sk_application to the Key struct, and a few minor modifications later, pam_ssh_agent_auth now seems to be correctly requesting authentication from the client using the yubikey. Next thing I attempted was to handle ECDSA_SK signatures correctly, basing my changes on openssh ssh_ecdsa_sk_verify function implementation, but have not had success here so far.

But this is kind of reinventing the wheel, patching changes openssh project already got working into this very similar (but different enough) code base. Have also briefly investigated jbeverly's pam_ssh_agent_auth-2.0 fork of openssh-portable, since it would get SK key support "for free" with a rebase, but it looks like that project has a lot of catching-up to do.

davex25 avatar Jul 09 '20 19:07 davex25

You might be interested in my implementation, see https://github.com/jbeverly/pam_ssh_agent_auth/issues/3.

cavokz avatar Jul 19 '20 21:07 cavokz

@cavokz Tried it out, appears to work perfectly for my yubikey use case above.

However your mailing list conversation is making me rethink whether this sudo use case makes sense to begin with.

davex25 avatar Jul 21 '20 20:07 davex25

@davex25 What to do then if sshd is not there? Is using it as sudo replacement a reason good enough for installing and configuring it to listen on localhost only? I cannot answer, I usually install it quite early on a new machine.

cavokz avatar Jul 22 '20 11:07 cavokz

I was looking into doing this (i.e. use my Yubikey to sudo over ssh), and then I realised that instead of going through the trouble of setting up the PAM module, I could just ssh to root when needed (quite obviously :sweat_smile:):

# ssh as user:
ssh user@server

# ssh as root:
ssh root@server

In the mailing list, somebody suggests that instead of doing this, it should be possible to set up the remote machine such that one can become root with:

ssh user@server # on the local machine
ssh -A localhost -l root # on the remote machine

@cavokz: did I understand this correctly?

JonasVautherin avatar Apr 18 '23 23:04 JonasVautherin

In the mailing list, somebody suggests that instead of doing this, it should be possible to set up the remote machine such that one can become root with:

ssh user@server # on the local machine
ssh -A localhost -l root # on the remote machine

@cavokz: did I understand this correctly?

I think so :)

cavokz avatar Apr 19 '23 07:04 cavokz

Will this ever get updated? I can't use my yubikey since it doesn't recognize sk-ssh-ed25519 as a valid key_type_from_name.

katzeprior avatar Mar 07 '24 12:03 katzeprior

@katzeprior pam_ssh_agent_auth hasn't been maintained for a few years. In the meantime, you may be interested in pam_rssh which supports ed25519-sk keys.

Majiir avatar Mar 10 '24 22:03 Majiir

Harsh, but fair. I would love assistance updating this project at some point, but I've not had time to really do much with this in quite a while.

jbeverly avatar Mar 12 '24 05:03 jbeverly