Package: libpam-ssh-agent-auth
Version: 0.10.3-3
Severity: wishlist
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
i wanted to use an u2f token for remote sudo authentication
* What exactly did you do (or not do) that was effective (or
ineffective)?
on the client (device with u2f token attached):
ssh-keygen -f ~/.ssh/id_sudo
ssh-agent -a ~/.ssh/sudo_agent
ssh -o ForwardAgent=~/.ssh/sudo_agent jonny@alexandria
on the server (where sudo should shoudl use pam_ssh_agent_auth)
- in /etc/pam.d/sudo prepend
auth sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys
debug
- in /etc/security/authorized_keys i added my ecdsa-sk key
sk-ecdsa-sha2-nistp...@openssh.com AAA...oOg== j@io
with ssh-agent -L | sudo tee -a /etc/security/authorized_keys
- clear sudo cache (sudo -k) or relogin
- try sudo -s
* What was the outcome of this action?
- sudo asked for my password
- in /var/log/auth.log:
Apr 29 14:56:24 alexandria sudo[624016]: pam_ssh_agent_auth:
key_type_from_name: unknown key type 'sk-ecdsa-sha2-nistp...@openssh.com'
Apr 29 14:56:24 alexandria sudo[624016]: pam_ssh_agent_auth: error:
key_from_blob: remaining bytes in key blob 89
* What outcome did you expect instead?
getting asked to touch my u2f token
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.5.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libpam-ssh-agent-auth depends on:
ii libc6 2.30-4
ii libpam0g 1.3.1-5
ii libssl1.1 1.1.1g-1
libpam-ssh-agent-auth recommends no packages.
libpam-ssh-agent-auth suggests no packages.
-- no debconf information
