David Gwynne wrote: > this is rough, but enough to start a discussion. > > this lets doas authenticate a user by talking to their ssh agent > by specifying 'ssh-agent' on a permit line in the config. if agent > auth fails, doas falls back to bsd auth (ie, password auth). > > to minimise the amount of code needed in doas, most of the heavy > lifting is handed off to two external programs.
ehhh... woah, this is getting complicated fast. > the first is a program that fetches a users keys. it has to be > provided by the system administrator. > > at work i have an AuthorizedKeysCommand thing that fetches keys > from active directory (ie, an ldap) so users can do key based auth and it sounds like you will be the only user... If we add this, we would need to document it. And worse, users would need to read it. And it would sound cool, but then they'd struggle to set it up and get frustrated. It is, in short, an "attractive nuisance". If bsd auth does not suit your needs, then I think that should be the place to focus your efforts.
