This PAM module provides ssh-agent based authentication

Overview

PAM-RSSH

This PAM module provides ssh-agent based authentication. The primary design goal is to avoid typing password when you sudo on remote servers. Instead, you can simply touch your hardware security key (e.g. Yubikey/Canokey) to fulfill user verification. The process is done by forwarding the remote authentication request to client-side ssh-agent as a signature request.

This project is developed in Rust language to minimize security flaws.

Development Status

It's a preliminary version now. Test and feedback are needed.

Currently supported SSH public key types:

  • RSA (with SHA256 digest)
  • ECDSA 256/384/521
  • ED25519

Under development:

  • FIDO2 (ed25519-sk/ecdsa-sk)

Build and Install

Prerequisites:

  • OpenSSL (>=1.1.1)
  • libpam
  • Rust (with Cargo)
cargo build --release
cp target/release/libpam_rssh.so /usr/local/lib/

Config

Add the following line to /etc/pam.d/sudo (place it before existing rules):

auth sufficient /usr/local/lib/libpam_rssh.so

Then edit sudoers with visudo command. Add the following line: (It makes sudo keep the environment variable, so this module can communicate with ssh-agent)

Defaults        env_keep += "SSH_AUTH_SOCK"

Start a ssh-agent on your client, then add your keys with ssh-add.

Try to ssh to your server with forwarded agent (-A option), and make a sudo there.

Arguments

The following arguments are supported:

  • loglevel= Select the level of messages logged to syslog. Defaults to warn.
  • debug Equivalent to loglevel=debug.
  • ssh_agent_addr= The address of ssh-agent. Defaults to the value of SSH_AUTH_SOCK environment variable, which is set by ssh automatically.
  • auth_key_file= Public keys allowed for user authentication. Defaults to /home/ /.ssh/authorized_keys .

Arguments should be appended to the PAM rule. For example, auth sufficient /usr/local/lib/libpam_rssh.so debug.

Comments
  • Fails to build

    Fails to build

    First, thank you for this. pam_ssh_agent_auth does not support ed25519-sk for use with sudo so this project looks promising.

    Unfortunately, I am 100% unfamiliar with rust and cargo.

    In simply cloing the repository and running cargo build --release I am presented with an error.

        Updating crates.io index
    error: failed to get `pam` as a dependency of package `pam_rssh v0.2.0 (/home/dopefish/builds/pam_rssh)`
    
    Caused by:
      failed to load source for dependency `pam`
    
    Caused by:
      Unable to update /home/dopefish/builds/pam_rssh/dep/pam-rs/pam
    
    Caused by:
      failed to read `/home/dopefish/builds/pam_rssh/dep/pam-rs/pam/Cargo.toml`
    
    Caused by:
      No such file or directory (os error 2)
    

    From here I googled pam-rs and found another github repository. In the dep folder I cloned https://github.com/anowell/pam-rs.git.

    Again, I built but received another error.

        Updating crates.io index
    error: failed to get `ssh-agent` as a dependency of package `pam_rssh v0.2.0 (/home/dopefish/builds/pam_rssh)`
    
    Caused by:
      failed to load source for dependency `ssh-agent`
    
    Caused by:
      Unable to update /home/dopefish/builds/pam_rssh/dep/ssh-agent.rs
    
    Caused by:
      failed to read `/home/dopefish/builds/pam_rssh/dep/ssh-agent.rs/Cargo.toml`
    
    Caused by:
      No such file or directory (os error 2)
    

    I searched online for ssh-agent.rs and found an other github repository. Just like before I cloned https://github.com/sekey/ssh-agent.rs.git.

    I went back to build again and received yet another error.

        Updating crates.io index
    error: no matching package named `pam` found
    location searched: /home/dopefish/builds/pam_rssh/dep/pam-rs/pam
    required by package `pam_rssh v0.2.0 (/home/dopefish/builds/pam_rssh)`
    

    There is a pam folder inside of pam-rs from the repository.

    I have been unable to get past building at this point.

    Help is appreciated!

    opened by dlrudie 4
  • Searches for authorized_keys at user's home dir

    Searches for authorized_keys at user's home dir

    Changes the default place to search for authorized_keys file.

    Instead using hardcoded /home/<username>/.ssh/authorized_keys, uses the user's home directory as returned by getpwnam. Some users (notably, root) have their home directories outside /home.

    Closes #1

    opened by piterpunk 3
  • Compiling errors

    Compiling errors

    After compiling everything I get this error:

    ... = note: /usr/bin/ld: cannot find -lpam

    I understand that this means ld can't find libpam.so but I don't know where to get that on Pop! OS. I'll keep looking but please let me know if you know of a solution.

    opened by hoopahmadness 1
  • Can't use pam_rssh to auth as root without a centralized authorized_keys file

    Can't use pam_rssh to auth as root without a centralized authorized_keys file

    The default per user authorized_keys is hardcoded to /home/<username>/.ssh/authorized_keys. As root home dir is /root, the authorized_keys isn't found and pam_rssh auth fails:

    Jun 15 15:49:25 number5 pam_rssh[20769]: read_authorized_keys: Failed to read `/home/root/.ssh/authorized_keys`
    

    It's possible to set a centralized authorized_keys file as an workaround, but them, all users will accept the same keys, which brings another problems.

    Will be nice if pam_rssh searches for authorized_keys at the user's home directory, so the we can have a per user authorized_keys not only for users that have their home dir at /home/<username>, but also in other locations, like /root.

    opened by piterpunk 0
  • two minor changes

    two minor changes

    1. rustc 1.66 want to treat PamHandle differently, adding &mut fix that.

    *** orig/lib.rs 2022-12-27 06:29:57.846782481 -0800 --- src/lib.rs 2022-12-27 06:23:00.133932449 -0800


    *** 73,79 **** }

    impl PamHooks for PamRssh { ! fn sm_authenticate(pamh: &PamHandle, args: Vec<&CStr>, _flags: PamFlag) -> PamResultCode { /* if (flags & pam::constants::PAM_SILENT) == 0 */ { setup_logger(); --- 73,79 ---- }

    impl PamHooks for PamRssh { ! fn sm_authenticate(pamh: &mut PamHandle, args: Vec<&CStr>, _flags: PamFlag) -> PamResultCode { /* if (flags & pam::constants::PAM_SILENT) == 0 */ { setup_logger();


    *** 171,177 **** }

      // Always return PAM_SUCCESS for sm_setcred, just like pam-u2f
    

    ! fn sm_setcred(_pamh: &PamHandle, _args: Vec<&CStr>, _flags: PamFlag) -> PamResultCode { info!("set-credentials is not implemented"); PamResultCode::PAM_SUCCESS } --- 171,177 ---- }

      // Always return PAM_SUCCESS for sm_setcred, just like pam-u2f
    

    ! fn sm_setcred(_pamh: &mut PamHandle, _args: Vec<&CStr>, _flags: PamFlag) -> PamResultCode { info!("set-credentials is not implemented"); PamResultCode::PAM_SUCCESS } 2) pam-rs changed to package reference to pam-bindings, so updated Cargo.toml to use crate.io entry pam-bindings = "^0.1.1"

    the build was successful and used it in some of my machines now.

    opened by aphuang2013 3
Owner
Yuxiang Zhang
Yuxiang Zhang
An experimental, work-in-progress PAM module for Tailscale

Experimental Tailscale PAM Module This is a very very experimental Tailscale PAM module that allows you to SSH using your Tailscale credentials. This

Tailscale 129 Nov 20, 2022
Akamai Krypton CLI and SSH Agent (v2)

Akamai "Krypton" FIDO2 SSH Agent and CLI The akr command line utility is Akamai's "Krypton" SSH Agent, the successor to kr which works exclusively wit

Akamai 57 Jan 4, 2023
Figma Agent for Linux (a.k.a. Font Helper)

Figma Agent for Linux (a.k.a. Font Helper)

Neetly 32 Dec 25, 2022
Cedar-agent is the easiest way to deploy and run Cedar

Cedar Agent What is Cedar-Agent? Cedar-Agent is an HTTP server designed to efficiently manage a policy store and a data store. It provides a seamless

Permit.io 30 May 26, 2023
A customizable MCTS planner with advanced featured tailored to multi-agent simulations and emergent narratives.

NPC engine Core:  Utils:  © 2020-2022 ETH Zurich and other contributors. See AUTHORS.txt for more details. A customizable Monte Carlo Tree Search (MCT

Game Technology Center, ETH Zurich 30 Jun 6, 2023
TinyTodo is a Cedar Agent example, with a server in Rust and client in python

TinyTodo - OPAL and Cedar Agent Demo TinyTodo is a simple application for managing task lists. It uses OPAL and Cedar Agent to control who has access

Permit.io 4 Aug 9, 2023
A Rust-based Garry's Mod module for fetching environment variables.

gm_environ Using Environment Variables in Garry's Mod. Installation Download a copy of the module from the releases (or compile from source) Move the

Joshua Piper 2 Jan 4, 2022
A small CLI wrapper for authenticating with SSH keys from Hashicorp Vault

vaultssh A small CLI wrapper for authenticating with SSH keys from Hashicorp Vault vaultssh is a small CLI wrapper for automatically fetching and usin

Joshua Gilman 50 Dec 10, 2022
Multi-threaded CLI torrent scraper for displaying searched for magnet links; tailored for use with plex & ssh.

magnetfinder Multi-threaded CLI torrent aggregator; scrapes torrent results from multiple websites and delivers them into a table in your terminal! Su

Ryan 59 Dec 10, 2022
🦴🖥️ // An ssh manager

?? ??️ ssh-man ssh-man is an SSH manager. I often forget the credentials and IPs to servers I frequently SSH into so Im making ssh-man to help me reme

mellowmarshe 4 Dec 9, 2021
1 library and 2 binary crates to run SSH/SCP commands on a "mass" of hosts in parallel

massh 1 library and 2 binary crates to run SSH/SCP commands on a "mass" of hosts in parallel. The binary crates are CLI and GUI "frontends" for the li

null 2 Oct 16, 2022
Multi-threaded CLI torrent scraper for displaying searched for magnet links; tailored for use with plex & ssh.

magnetfinder Multi-threaded CLI torrent aggregator; scrapes torrent results from multiple websites and delivers them into a table in your terminal! Su

null 59 Dec 10, 2022
FastSSH is a TUI that allows you to quickly connect to your services by navigating through your SSH config.

Connect quickly to your services ?? FastSSH is a TUI that allows you to quickly connect to your services by navigating through your SSH config. Instal

Julien 85 Dec 14, 2022
Authentication workaround for N-Central Report Manager

reportlinkfix Authentication workaround for N-Central Report Manager. Takes the link that N-Central creates for Report Manager and outputs a working l

501 Commons 1 Jan 31, 2022
Galileo OSNMA (Open Service Navigation Message Authentication)

galileo-osnma galileo-osnma is a Rust implementation of the Galileo OSNMA (Open Service Navigation Message Authentication) protocol. This protocol is

Daniel Estévez 26 Nov 25, 2022
Command-line OAuth2 authentication daemon

pizauth: a background OAuth2 token requester pizauth is a simple program for obtaining, handing out, and refreshing OAuth2 access tokens. pizauth is f

Laurence Tratt 15 Dec 8, 2022
Over-simplified, featherweight, open-source and easy-to-use authentication and authorization server.

concess ⚠️ Early Development: This is not production ready, yet. Do not use it for anything important. Introduction concess is a over-simplified, feat

Dustin Frisch 3 Nov 25, 2022
Authentication and authorization service, written in Rust

auth-rs auth-rs provides a simple authentication and authorization service for use in other services. The service is written in Rust and uses the acti

OpServa 3 Aug 17, 2023
The module graph logic for Deno CLI

deno_graph The module graph/dependency logic for the Deno CLI. This repository is a Rust crate which provides the foundational code to be able to buil

Deno Land 67 Dec 14, 2022