jbeverly/pam_ssh_agent_auth

Support FIDO/U2F ecdsa-sk and ed25519-sk ssh keys

srstsavage opened this issue · 10 comments

Support for the new ecdsa-sk and ed25519-sk key types would be awesome.

To help those Googling for this issue, here's the exact text of the error I get (which I'm fairly certain is caused by this issue):

pam_ssh_agent_auth: error: key_from_blob: remaining bytes in key blob 89

I've been playing around with using pam_ssh_agent_auth for pam authentication of sudo over an ssh connection with my yubikey. Added KEY_ECDSA_SK type, and sk_application to the Key struct, and a few minor modifications later, pam_ssh_agent_auth now seems to be correctly requesting authentication from the client using the yubikey. Next thing I attempted was to handle ECDSA_SK signatures correctly, basing my changes on openssh ssh_ecdsa_sk_verify function implementation, but have not had success here so far.

But this is kind of reinventing the wheel, patching changes openssh project already got working into this very similar (but different enough) code base. Have also briefly investigated jbeverly's pam_ssh_agent_auth-2.0 fork of openssh-portable, since it would get SK key support "for free" with a rebase, but it looks like that project has a lot of catching-up to do.

You might be interested in my implementation, see #3.

@cavokz Tried it out, appears to work perfectly for my yubikey use case above.

However your mailing list conversation is making me rethink whether this sudo use case makes sense to begin with.

@davex25 What to do then if sshd is not there? Is using it as sudo replacement a reason good enough for installing and configuring it to listen on localhost only? I cannot answer, I usually install it quite early on a new machine.

I was looking into doing this (i.e. use my Yubikey to sudo over ssh), and then I realised that instead of going through the trouble of setting up the PAM module, I could just ssh to root when needed (quite obviously 😅):

# ssh as user:
ssh user@server

# ssh as root:
ssh root@server

In the mailing list, somebody suggests that instead of doing this, it should be possible to set up the remote machine such that one can become root with:

ssh user@server # on the local machine
ssh -A localhost -l root # on the remote machine

@cavokz: did I understand this correctly?

In the mailing list, somebody suggests that instead of doing this, it should be possible to set up the remote machine such that one can become root with:

ssh user@server # on the local machine
ssh -A localhost -l root # on the remote machine

@cavokz: did I understand this correctly?

I think so :)

Will this ever get updated? I can't use my yubikey since it doesn't recognize sk-ssh-ed25519 as a valid key_type_from_name.

@katzeprior pam_ssh_agent_auth hasn't been maintained for a few years. In the meantime, you may be interested in pam_rssh which supports ed25519-sk keys.

Harsh, but fair. I would love assistance updating this project at some point, but I've not had time to really do much with this in quite a while.