pam_ssh_agent_auth 0.9.3. released

jbeverly — Tue, 07 Jun 2011 07:12:57 -0000

Release 0.9.3 is stable, and has been tested on RHEL5, Ubuntu LTS (8.04), Ubunto 8.10, and MacOS X 10.5

This release contains a few minor bugfixes and enhancements from 0.9.2; logging of which key provided successful authentication no longer requires 'debug' option. signing of keys now only happens if they are potentially valid; improved legibility of code in a few spots, and in so doing fixed a bug if you specified a path to an authorized key file >= 1024 characters.

This module can be used to provide authentication for anything run locally that
supports PAM. It was written specifically with the intention of permitting
authentication for sudo without password entry, and also has been proven useful
for use with su as an alternative to wheel.

It serves as middle ground between the two most common, and suboptimal
alternatives for large-scale system administration: allowing rootlogin via ssh,
or using NOPASSWD in sudoers. This module allows for ssh public-key
authentication, and it does this by leveraging an authentication mechanism you
are probably already using, ssh-agent.

There are caveats of course, ssh-agent forwarding has it’s own security risks
which must be carefully considered for your environment. In cases where there
are not untrustworthy intermediate servers, and you wish to retain traceability,
accountability, and required authentication for privileged command invocation,
the benefits should outweigh the risks. Release 0.9.2 can be downloaded from
SourceForge: https://sourceforge.net/project/showfiles.php?group_id=249556

If you encounter any issues with usability or security, please use the project's
SourceForge tracker:
https://sourceforge.net/tracker2/?group_id=249556&atid=1126337

Note that if you wish to use this for sudo, you will need a version of sudo that
preserves the env_keep environment during authentication; and ideally a version
incorporating my minor patch which ensures RUSER is set during PAM authentication.

sudo 1.6.8p12 does not work correctly with this PAM module, because it clears the
environment (even env_keep variables) prior to attempting PAM authentication.

sudo 1.7.2p1 or later is preferred, as it correctly sets PAM_RUSER for
authentication.

pam_ssh_agent_auth 0.9.2 released

jbeverly — Thu, 07 Jan 2010 03:40:49 -0000

pam_ssh_agent_auth is a PAM module which permits PAM authentication via your
keyring in a forwarded ssh-agent.

Release 0.9.2 is stable, and has been tested on NetBSD, FreeBSD, Solaris,
RHEL4, RHEL5, Debian Etch, Debian Lenny, Ubuntu LTS (8.04), Ubunto 8.10,
and MacOS X.

The only difference between this version, and version 0.9.1 is the license.
I have decided to switch to a BSD style license, and so all restrictions
previously imposed by the GPLv3 no longer apply as of version 0.9.2. This
relaxation of licensing terms is due in part with the original licensing of
openssh, from which this work has been derived.

If you encounter any issues with usability or security, please use the project's
SourceForge tracker:
https://sourceforge.net/tracker2/?group_id=249556&atid=1126337

sudo 1.6.8p12 does not work correctly with this PAM module, because it clears the
environment (even env_keep variables) prior to attempting PAM authentication.

sudo 1.7.2p1 or later is preferred, as it correctly sets PAM_RUSER for
authentication.

pam_ssh_agent_auth 0.6 released

jbeverly — Wed, 18 Mar 2009 18:50:30 -0000

pam_ssh_agent_auth v0.5 was missing a file due to a bad SVN export, please replace with 0.6. My appologies.

pam_ssh_agent_auth is a PAM module which permits authentication via ssh-agent.Release 0.6 is functionally stable, and has been tested on NetBSD, FreeBSD, Solaris, RHEL4, RHEL5, Debian Etch, Debian Lenny, Ubuntu LTS (8.04), Ubunto 8.10, and MacOS X.

Every effort has been taken to ensure that this module is safe, but you should use with caution, as this is still beta software. While this module can be used with any service that supports PAM, it was written with the intention of permitting authenticated sudo without password entry.It serves as middle ground between the two most common, and suboptimal alternatives for cluster administration: allowing root login via ssh, or using NOPASSWD in sudoers. This module allows public-key authentication, and it does this by leveraging an authentication mechanism you are probably already using, ssh-agent. There are caveats of course, ssh-agent forwarding has it’s own security risks which must be carefully considered for your environment. In cases where there are not untrustworthy intermediate servers, and you wish to retain traceability, accountability, and required authentication for privileged command invocation, the benefits should outweigh the risks. Release 0.5 can be downloaded from SourceForge: https://sourceforge.net/project/showfiles.php?group_id=249556

If you encounter any issues with usability or security, please use the project’s SourceForge tracker: https://sourceforge.net/tracker2/?group_id=249556&atid=1126337

Note that if you wish to use this for sudo, 1.6.8 seems to clean the environment prior to calling pam dlopen. You will need sudo >= 1.6.9 or < 1.6.8 to use this module for sudo.

pam_ssh_agent_auth 0.5 released

jbeverly — Wed, 18 Mar 2009 07:01:12 -0000

pam_ssh_agent_auth is a PAM module which permits authentication via ssh-agent.

Release 0.5 is functionally stable, and has been tested on NetBSD, FreeBSD, Solaris, RHEL4, RHEL5, Debian Etch, Debian Lenny, Ubuntu LTS (8.04), Ubunto 8.10, and MacOS X.

It serves as middle ground between the two most common, and suboptimal alternatives for cluster administration: allowing root login via ssh, or using NOPASSWD in sudoers. This module allows public-key authentication, and it does this by leveraging an authentication mechanism you are probably already using, ssh-agent.

There are caveats of course, ssh-agent forwarding has it’s own security risks which must be carefully considered for your environment. In cases where there are not untrustworthy intermediate servers, and you wish to retain traceability, accountability, and required authentication for privileged command invocation, the benefits should outweigh the risks. Release 0.5 can be downloaded from SourceForge: https://sourceforge.net/project/showfiles.php?group_id=249556

If you encounter any issues with usability or security, please use the project’s SourceForge tracker: https://sourceforge.net/tracker2/?group_id=249556&atid=1126337

Note that if you wish to use this for sudo, you will need a version of sudo that doesn't have a down-stream patch that cleans the environment prior to pam dlopen calls. For instance, on debian/ubuntu 1.6.9 works (1.6.8p12-1 does not); on RHEL, 1.6.7 or later works); on Darwin, I think any pristine source should work, but I've only tried 1.7

pam_ssh_agent_auth 0.4 released

jbeverly — Thu, 08 Jan 2009 04:47:47 -0000

pam_ssh_agent_auth is a PAM module which permits authentication via ssh-agent. Release 0.4 is functionally stable, and has been tested on NetBSD, FreeBSD, Solaris, Linux, and MacOS X. Every effort has been taken to ensure that this module is safe, but you should use with caution, as this is still beta software.

While this module can be used with any service that supports PAM, it was written with the intention of permitting authenticated sudo without password entry.

There are caveats of course, ssh-agent forwarding has it’s own security risks which must be carefully considered for your environment. In cases where there are not untrustworthy intermediate servers, and you wish to retain traceability, accountability, and required authentication for privileged command invocation, the benefits should outweigh the risks.

Release 0.4 can be downloaded from SourceForge: https://sourceforge.net/project/showfiles.php?group_id=249556&release_id=651506&package_id=304867

If you encounter any issues with usability or security, please use the project’s SourceForge tracker:
https://sourceforge.net/tracker2/?group_id=249556&atid=1126337

Recent posts to news

pam_ssh_agent_auth 0.9.3. released

pam_ssh_agent_auth 0.9.2 released

pam_ssh_agent_auth 0.6 released

pam_ssh_agent_auth 0.5 released

pam_ssh_agent_auth 0.4 released