GregoryDosh/pam_ussh
0
0
Fork 0
Code Issues 1 Pull requests Releases 18 Activity Actions
A forked & modified version of https://github.com/uber/pam-ussh
53 commits 1 branch 18 tags 182 KiB
Find a file
Renovate[BOT] ce7463df3f
All checks were successful
Build Module / Build Module (push) Successful in 23s
Details
fix(deps): update module golang.org/x/crypto to v0.30.0 (#25) 
Reviewed-on: #25
Co-authored-by: Renovate[BOT] <renovate-bot@auengun.net>
Co-committed-by: Renovate[BOT] <renovate-bot@auengun.net>
2024-12-05 01:29:13 +00:00
.forgejo/workflows chore(deps): update actions/forgejo-release action to v2.5.0 (#24) 2024-12-04 14:29:49 +00:00
debian pam-ussh: fix bug reported by Solar Designer. 2017-02-11 11:21:18 -08:00
release chore(ci): restructure/release for automated release & version tracked to golang.org/x/crypto 2024-11-23 19:47:43 -06:00
.gitignore gitignore: Ignore build artifacts 2017-10-02 15:05:38 -07:00
.renovaterc.json5 chore: Configure Renovate (#2) 2024-07-02 02:09:31 +00:00
go.mod fix(deps): update module golang.org/x/crypto to v0.30.0 (#25) 2024-12-05 01:29:13 +00:00
go.sum fix(deps): update module golang.org/x/crypto to v0.30.0 (#25) 2024-12-05 01:29:13 +00:00
LICENSE initial commit 2017-02-07 06:58:30 -08:00
Makefile chore: fix header 2024-11-23 19:48:39 -06:00
pam.go pam-ussh: fix bug reported by Solar Designer. 2017-02-11 11:21:18 -08:00
pam_c.go pam-ussh: don't allow pam-ussh to probe files. 2017-02-13 09:56:41 -08:00
pam_darwin.go initial commit 2017-02-07 06:58:30 -08:00
pam_linux.go pam-ussh: fix bug reported by Solar Designer. 2017-02-11 11:21:18 -08:00
pam_ussh.go Verify the certificate is signed by the correct root CA. 2021-06-14 21:49:02 -07:00
pam_ussh_test.go Verify the certificate is signed by the correct root CA. 2021-06-14 21:49:02 -07:00
README.md chore(ci): restructure/release for automated release & version tracked to golang.org/x/crypto 2024-11-23 19:47:43 -06:00
shell.nix chore(ci): restructure/release for automated release & version tracked to golang.org/x/crypto 2024-11-23 19:47:43 -06:00

README.md

A minimally maintained version of pam_ussh

This is a modified version of Uber's PAM module for authenticating a user based on them having an SSH certificate in their ssh-agent signed by a specified ssh CA. It's been updated for modern Go/CI and anything else that needs to be addressed with time. I imagine some amount of fixes or bugs or issues to arise with time given the way code is.

Original README.md below

Uber's SSH certificate pam module.

This is a pam module that will authenticate a user based on them having an ssh certificate in their ssh-agent signed by a specified ssh CA.

This is primarily intended as an authentication module for sudo. Using it for something else may be unsafe (we haven't tested it anyway). We'd be happy to learn of other potential uses though.

An example usage would be you ssh to a remote machine and sshd authenticates you (probably using your ssh cert, because if you're using it for this, you're probably using it for sshd as well). At that point when you want to run a command that requires authentication (eg. sudo), you can use pam-ussh for authentication.

Works on linux and osx. BSD doesn't work because go doesn't (yet) support buildmode=c-shared on bsd.

Building:

  1. clone the repo and run 'make'
  $ git clone github.com/uber/pam-ussh

  ...

  $ make
  mkdir -p /home/pmoody/tmp/pam-ussh/.go/src
  GOPATH=/home/pmoody/tmp/pam-ussh/.go go get golang.org/x/crypto/ssh
  GOPATH=/home/pmoody/tmp/pam-ussh/.go go get golang.org/x/crypto/ssh/agent
  GOPATH=/home/pmoody/tmp/pam-ussh/.go go get github.com/stretchr/testify/require
  GOPATH=/home/pmoody/tmp/pam-ussh/.go go test -cover
  PASS
  coverage: 71.8% of statements
  ok  	_/home/pmoody/tmp/pam-ussh	0.205s
  GOPATH=/home/pmoody/tmp/pam-ussh/.go go build -buildmode=c-shared -o pam_ussh.so

  $

Usage:

  1. put this pam module where ever pam modules live on your system, eg. /lib/security

  2. add it as an authentication method, eg.

  $ grep auth /etc/pam.d/sudo
  auth [success=1 default=ignore] /lib/security/pam_ussh.so
  auth requisite                  pam_deny.so
  auth required                   pam_permit.so
  1. make sure your SSH_AUTH_SOCK is available where you want to use this (eg. ssh -A user@host)

Runtime configuration options:

  • ca_file - string, the path to your TrustedUserCAKeys file, default /etc/ssh/trusted_user_ca. This is the pubkey that signs your user certificates.

  • authorized_principals - string, comma separated list of authorized principals, default "". If set, the user needs to have a principal in this list in order to use this module. If this and authorized_principals_file are both set, only the last option listed is checked.

  • authorized_principals_file - string, path to an authorized_principals file, default "". If set, users need to have a principal listed in this file in order to use this module. If this and authorized_principals are both set, only the last option listed is checked.

  • group - string, default, "" If set, the user needs to be a member of this group in order to use this module.

Example configuration:

the following looks for a certificate on $SSH_AUTH_SOCK that have been signed by user_ca. Additionally, the user needs to have a principal on the certificate that's listed in /etc/ssh/root_authorized_principals

auth [success=1 default=ignore] /lib/security/pam_ussh.so ca_file=/etc/ssh/user_ca authorized_principals_file=/etc/ssh/root_authorized_principals

FAQ:

  • How do I report a security issue?

  • does this work with non-certificate ssh-keys?

    • No, not at the moment.
    • There's no reason it can't though, we just didn't need it to do that so I never added the functionality

  • why aren't you using $DEP_SYSTEM?

    • We didn't need to so we didn't bother

  • can you make it do $X?

    • Submit a feature request, or better yet a pull request

Information on ssh certificates: