Re: pam_ssh_agent_auth on a Guix System?

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pam_ssh_agent_auth on a Guix System?

From:	Giovanni Biscuolo
Subject:	Re: pam_ssh_agent_auth on a Guix System?
Date:	Wed, 31 May 2023 09:46:47 +0200

Hi Felix,

Felix Lechner <felix.lechner@lease-up.com> writes:

[...]

>> I'd like to execute sudo without having to set and enter a password [1]
>> and that PAM module is needed

well, the above description is misleading :-(

> You could also add a line like this to your /etc/sudoers (but I don't
> recommend it)
>
> user_name ALL=(ALL) NOPASSWD:ALL

actually I don't want to disable authentication, I'd like to:

--8<---------------cut here---------------start------------->8---

permit anyone who has an SSH_AUTH_SOCK that manages the private key
matching a public key in /etc/security/authorized_keys to execute sudo
without having to enter a password. Note that the ssh-agent listening to
SSH_AUTH_SOCK can either be local, or forwarded.

Unlike NOPASSWD, this still requires an authentication, it's just that
the authentication is provided by ssh-agent, and not password entry.

--8<---------------cut here---------------end--------------->8---
(from https://pamsshagentauth.sourceforge.net/)

>> is someone already using such a configuration in a Guix System?
>
> Not quite. I added my public ssh key to root's authorized_keys. It's
> different from what you are looking for but gives you a root prompt
> with 'ssh root@localhost`.

mumble... I wonder if this works with a forwarded ssh-agent (this means
that you don't need your private ssh key on the remote host to do that
ssh)

> I did it because it's required for 'guix deploy'.
>
> Personally, I have not used the SSH agent, but it's an interesting
> avenue. I use Kerberos instead, which is probably the gold standard
> for distributed authentication. You are doing the right thing by
> thinking about your options.

I never used kerberos (I should learn it) but if possible I'd like to
avoid to install and configure extra services; ssh is ubiquitous and
installing and configuring an ssh-agent on the client /maybe/ is easier
than a kerberos client

[...]

Thanks! Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

pam_ssh_agent_auth on a Guix System?, Giovanni Biscuolo, 2023/05/30
- Re: pam_ssh_agent_auth on a Guix System?, Felix Lechner, 2023/05/30
  - Re: pam_ssh_agent_auth on a Guix System?, Giovanni Biscuolo <=

Prev by Date: Re: branch master updated: gnu: eudev: Use new package style.
Next by Date: Re: branch master updated: gnu: eudev: Use new package style.
Previous by thread: Re: pam_ssh_agent_auth on a Guix System?
Next by thread: ping on a build fix for a build failure (main branch)
Index(es):
- Date
- Thread