I use pam_rssh in my development VM and it works great there. One thing to note is that the default configuration of pam_rssh is insecure, because the default configuration file is writable by the sudoing user, effectively giving any user that’s allowed to use pam_rssh a way to add arbitrary additional SSH public keys. See also Default `auth_key_file` is insecure · Issue #17 · z4yx/pam_rssh · GitHub.
However, this should not block packaging into Fedora, since this problem is trivially avoidable by specifying a path to an auth_key_file that is not writable by a user, and we should probably either do so in Fedora, or apply a patch that does so by default.
pam_rssh doesn’t have a huge number of dependencies. From a quick search, it seems we’d need to package the following crates to get this into Fedora:
- pam-bindings
- multisock
- subst
- syslog 7 (currently only 6.1.1 is in Fedora)