Recent changes to feature-requests

#4 support auto-adding ecdsa_sk and ed25519_sk keys

Stefan Winter — Fri, 02 Jul 2021 08:29:59 -0000

Looking at the code, I do see ed25519_sk, but not ecdsa_sk, so my feature request reduces to ecdsa_sk support. ("I don't have a security key supporting ed25519_sk, you insensitive clod!") ;-)

support auto-adding ecdsa_sk and ed25519_sk keys

Stefan Winter — Fri, 02 Jul 2021 08:24:14 -0000

pam_ssh does not seem to support loading hardware-backed keys (ecdsa_sk and ed25519_sk). I have added such a key in both the .ssh/ and .ssh/login-keys.d/ directories along with three others of type id_rsa, id_ecdsa and id_ed25519. All four keys have the same passphrase.

When logging in with pam_ssh, the three others are unlocked and added to the ssh-agent session, but the ecdsa_sk one is not.

The key itself is in order, a manual "ssh-add id_ecdsa_sk" adds the key just fine.

I believe the code would need to be(come) aware of *_sk keys first. Can you confirm this is a missing feature?

#3 ED25519 key support

Wolfgang Rosenauer — Wed, 06 May 2015 08:11:56 -0000

status: open --> closed
assigned_to: Wolfgang Rosenauer

#3 ED25519 key support

Wolfgang Rosenauer — Wed, 06 May 2015 08:11:34 -0000

ED25519 key support released in 2.1

#3 ED25519 key support

Siuchung Cheung (Clement) — Sun, 18 Jan 2015 05:54:32 -0000

Looked into this problem a little further. It appears that ssh-add is produced like this in OpenSSH Makefile:
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)

So the ugly but easy way out is to pick up the whole thing like ssh-add did and forget about getting rid of functions we don't need...

ED25519 key support

Siuchung Cheung (Clement) — Sun, 18 Jan 2015 05:26:05 -0000

Pretty much the same as ECDSA support added in 2.0. Need another sync from OpenSSH to pick up the new code with EC25519 support.

I can see in the TODO file that you're planning to switch to using ssh-add. That would avoid the need to do more syncs. But if we're not doing that, the OpenSSH code should probably be in a separate directory to facilitate further syncing. There seems to be more than 1 file that comes from OpenSSH. Thanks.

ED25519 key support

Siuchung Cheung (Clement) — Sun, 18 Jan 2015 05:26:05 -0000

Ticket 3 has been modified: ED25519 key support
Edited By: Wolfgang Rosenauer (rosenauer)
Status updated: u'open' => u'closed'
Owner updated: None => u'rosenauer'

Re-add identity to already running agent

Robert Cernansky — Thu, 24 Sep 2009 18:53:41 -0000

It would be usefull if pam_ssh will try to add identity if it finds already running agent for a user. This would handle situations like hibernation when identities are removed from agent and user is still logged in. The scenario would be following:

1. User logs in.
2. ssh-agent is started. Identity is unlocked and added to the agent.
3. User suspends the system to disk. Suspend script deletes all identities from ssh_agent for security reasons.
4. User resumes and unlocks the screen(saver) with its password.
5. pam_ssh founds that ssh-agent for that user is already running so it tries to unlock and add the identity to that running agent.

Authentication against ssh-agent

Chip Marshall — Mon, 15 Jul 2002 21:40:08 -0000

Would it be possible to make the module capable of
using an existing ssh-agent to authenticate the user?
This would be useful for commands like su and sudo.