F42 Change Proposal: Deprecate pam-ssh-agent component (self-contained)

Remove pam-ssh-agent component

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Wiki
Announced

:link: Summary

Drop pam_ssh_agent_auth component from Fedora 42

:link: Owner

:link: Detailed Description

pam_ssh_agent_auth is a subpackage of openssh developed separately. Last years its development has effectively stopped and we are not aware of it being used actively.

The goal of this proposal is to drop this package (as it will be done in RHEL10) to reduce the maintenance burden.

:link: Feedback

:link: Benefit to Fedora

  • Removing a package of limited use and maintenance
  • Reducing the maintenance burden

:link: Scope

  • Proposal owners: remove the corresponding files from OpenSSH package

  • Other developers:

  • Release engineering: #Releng issue number

  • Policies and guidelines: N/A (not needed for this Change)

  • Trademark approval: N/A (not needed for this Change)

  • Alignment with the Fedora Strategy:

:link: Upgrade/compatibility impact

The users can still use this package from previous distributions if they really need it.

:link: Early Testing (Optional)

Do you require ‘QA Blueprint’ support? N

:link: How To Test

:link: User Experience

I expect the user experience effects to be minor because of quite limited usage of this package

:link: Dependencies

None

:link: Contingency Plan

There are 2 relevant options:

:link: Documentation

N/A (not a System Wide Change)

:link: Release Notes

We drop pam_ssh_agent_auth module

Last edited by @amoloney 2024-12-03T17:15:32Z

Last edited by @amoloney 2024-12-03T17:15:32Z

How do you feel about the proposal as written?

  • Strongly in favor
  • In favor, with reservations
  • Neutral
  • Opposed, but could be convinced
  • Strongly opposed
0 voters

If you are in favor but have reservations, or are opposed but something could change your mind, please explain in a reply.

We want everyone to be heard, but many posts repeating the same thing actually makes that harder. If you have something new to say, please say it. If, instead, you find someone has already covered what you’d like to express, please simply give that post a :heart: instead of reiterating. You can even do this by email, by replying with the heart emoji or just “+1”. This will make long topics easier to follow.

Please note that this is an advisory “straw poll” meant to gauge sentiment. It isn’t a vote or a scientific survey. See About the Change Proposals category for more about the Change Process and moderation policy.

I absolutely use this package for sudo authentication. It’s a great way to use sudo without a password but still require authentication. Native passwordless sudo configuration is entirely non-interactive, but this PAM module provides a mechanism that can operate without a password, but still enforce interaction, or at least ensure that the user is actually authorized to use sudo.

2 Likes

Could this be done with polkit?

I’m not sure how that would help. For local sudo usage, I use pam_u2f.so, which requires me to tap my FIDO2 token. This prevents random things from usingg sudo, since I obviously won’t tap my token unless I just ran sudo myself. I use pam_ssh_agent_auth.so to get this same effect when managing machines remotely. I add my FIDO2-backed SSH key to my agent, then forward the agent socket to the remote machine. When I run sudo on the remote machine, I still have to touch my FIDO2 token on my local machine. I honestly don’t know much about Polkit, as I tend to avoid it whenever I can, but I do not see how I could achieve this setup using its policy framework.

That said, I’m not married to pam_ssh_agent_auth.so. I don’t think I have encountered pam_rssh before, but according to its README, it’s intent to do exactly what I described here. If it were packaged for Fedora, I could probably use that. I’d be happy to help with the packaging/testing effort if I can.

2 Likes

I’d strongly prefer having pam_rssh packaged, but we need to package some crates for this purposes. GitHub - neverpanic/pam_rssh: RPM package for pam_rssh is an naïve attempt to package it by @clang but it doesn’t fit Fedora requirements for Rust packages

I use pam_rssh in my development VM and it works great there. One thing to note is that the default configuration of pam_rssh is insecure, because the default configuration file is writable by the sudoing user, effectively giving any user that’s allowed to use pam_rssh a way to add arbitrary additional SSH public keys. See also Default `auth_key_file` is insecure · Issue #17 · z4yx/pam_rssh · GitHub.

However, this should not block packaging into Fedora, since this problem is trivially avoidable by specifying a path to an auth_key_file that is not writable by a user, and we should probably either do so in Fedora, or apply a patch that does so by default.

pam_rssh doesn’t have a huge number of dependencies. From a quick search, it seems we’d need to package the following crates to get this into Fedora:

This change proposal has now been submitted to FESCo with ticket #3321 for voting.

To find out more, please visit our Changes Policy documentation.

The goal of this proposal is to drop this package

Do you propose to drop it or to deprecate it? The change proposal seems to mix the two things together.

I see the change proposal was renamed to Remove pam-ssh-agent component. Maybe this topic and the FESCo ticket should be renamed as well?

I propose dropping. It’s a leaf package so not sure what deprecation would change.