pam_rssh icon indicating copy to clipboard operation
pam_rssh copied to clipboard

Published 20 hours ago verified publisher icon z4yx

Metadata

Remote sudo authenticated via ssh-agent

PAM-RSSH

Rust

This PAM module provides ssh-agent based authentication. The primary design goal is to avoid typing password when you sudo on remote servers. Instead, you can simply touch your hardware security key (e.g. Yubikey/Canokey) to fulfill user verification. The process is done by forwarding the remote authentication request to client-side ssh-agent as a signature request.

This project is developed in Rust language to minimize security flaws.

Development Status

It's ready for production use, and has been tested on production servers for over a year. More tests and feedback are welcome.

Currently supported SSH public key types:

  • RSA (with SHA256 digest)
  • DSA
  • ECDSA 256/384/521
  • ECDSA-SK (FIDO2/U2F)
  • ED25519
  • ED25519-SK (FIDO2)

Build and Install

Prerequisites:

  • OpenSSL (>=1.1.1)
  • libpam
  • Rust (with Cargo)

Clone this repo with a submodule.

git clone --recurse-submodule https://github.com/z4yx/pam_rssh.git
cd pam_rssh

Then build it using Cargo.

cargo build --release
cp target/release/libpam_rssh.so <pam module path>

pam module path

  • the module path is specific to certain distributions
OS Destination
Arch Linux /usr/lib/security/
Debian /lib/x86_64-linux-gnu/security/
openSUSE /lib/security/

Config

Add the following line to /etc/pam.d/sudo (place it before existing rules):

auth sufficient libpam_rssh.so

Then edit sudoers with visudo command. Add the following line: (It makes sudo keep the environment variable, so this module can communicate with ssh-agent)

Defaults        env_keep += "SSH_AUTH_SOCK"

Start a ssh-agent on your client, then add your keys with ssh-add.

Try to ssh to your server with forwarded agent (-A option), and make a sudo there.

Optional Arguments

The following arguments are supported:

  • loglevel=<off|error|warn|info|debug|trace> Select the level of messages logged to syslog. Defaults to warn.
  • debug Equivalent to loglevel=debug.
  • ssh_agent_addr=<IP:port or UNIX domain address> The address of ssh-agent. Defaults to the value of SSH_AUTH_SOCK environment variable, which is set by ssh automatically.
  • auth_key_file=<Path to authorized_keys> Public keys allowed for user authentication. Defaults to $HOME/.ssh/authorized_keys. Usually $HOME expands to /home/<username>.
  • authorized_keys_command=<Path to command> A command to generate the authorized_keys. It takes a single argument, the username of the user being authenticated. The standard output of this command will be parsed as authorized_keys. The auth_key_file will be ignored if you specify this argument.
  • authorized_keys_command_user=<Username> The authorized_keys_command will be run as the user specified here. If this argument is omitted, the authorized_keys_command will be run as the user being authenticated.

Arguments should be appended to the PAM rule. For example:

auth sufficient libpam_rssh.so debug authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys authorized_keys_command_user=nobody

Metadata

76
Stars
7
Forks
Watchers

Owner

verified publisher icon z4yx

Metadata

Remote sudo authenticated via ssh-agent

Back