This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
pam_ssh_agent_auth is a subpackage of openssh developed separately. Last years its development has effectively stopped and we are not aware of it being used actively.
The goal of this proposal is to drop this package (as it will be done in RHEL10) to reduce the maintenance burden.
Feedback
Benefit to Fedora
Removing a package of limited use and maintenance
Reducing the maintenance burden
Scope
Proposal owners: remove the corresponding files from OpenSSH package
If you are in favor but have reservations, or are opposed but something could change your mind, please explain in a reply.
We want everyone to be heard, but many posts repeating the same thing actually makes that harder. If you have something new to say, please say it. If, instead, you find someone has already covered what you’d like to express, please simply give that post a instead of reiterating. You can even do this by email, by replying with the heart emoji or just “+1”. This will make long topics easier to follow.
Please note that this is an advisory “straw poll” meant to gauge sentiment. It isn’t a vote or a scientific survey. See About the Change Proposals category for more about the Change Process and moderation policy.
I absolutely use this package for sudo authentication. It’s a great way to use sudo without a password but still require authentication. Native passwordless sudo configuration is entirely non-interactive, but this PAM module provides a mechanism that can operate without a password, but still enforce interaction, or at least ensure that the user is actually authorized to use sudo.
I’m not sure how that would help. For local sudo usage, I use pam_u2f.so, which requires me to tap my FIDO2 token. This prevents random things from usingg sudo, since I obviously won’t tap my token unless I just ran sudo myself. I use pam_ssh_agent_auth.so to get this same effect when managing machines remotely. I add my FIDO2-backed SSH key to my agent, then forward the agent socket to the remote machine. When I run sudo on the remote machine, I still have to touch my FIDO2 token on my local machine. I honestly don’t know much about Polkit, as I tend to avoid it whenever I can, but I do not see how I could achieve this setup using its policy framework.
That said, I’m not married to pam_ssh_agent_auth.so. I don’t think I have encountered pam_rssh before, but according to its README, it’s intent to do exactly what I described here. If it were packaged for Fedora, I could probably use that. I’d be happy to help with the packaging/testing effort if I can.
I’d strongly prefer having pam_rssh packaged, but we need to package some crates for this purposes. GitHub - neverpanic/pam_rssh: RPM package for pam_rssh is an naïve attempt to package it by @clang but it doesn’t fit Fedora requirements for Rust packages
I use pam_rssh in my development VM and it works great there. One thing to note is that the default configuration of pam_rssh is insecure, because the default configuration file is writable by the sudoing user, effectively giving any user that’s allowed to use pam_rssh a way to add arbitrary additional SSH public keys. See also Default `auth_key_file` is insecure · Issue #17 · z4yx/pam_rssh · GitHub.
However, this should not block packaging into Fedora, since this problem is trivially avoidable by specifying a path to an auth_key_file that is not writable by a user, and we should probably either do so in Fedora, or apply a patch that does so by default.
pam_rssh doesn’t have a huge number of dependencies. From a quick search, it seems we’d need to package the following crates to get this into Fedora: