> On 27 Jul 2015, at 1:57 am, Ted Unangst <[email protected]> wrote: > > David Gwynne wrote: >> this is rough, but enough to start a discussion. >> >> this lets doas authenticate a user by talking to their ssh agent >> by specifying 'ssh-agent' on a permit line in the config. if agent >> auth fails, doas falls back to bsd auth (ie, password auth). >> >> to minimise the amount of code needed in doas, most of the heavy >> lifting is handed off to two external programs. > > ehhh... woah, this is getting complicated fast. > >> the first is a program that fetches a users keys. it has to be >> provided by the system administrator. >> >> at work i have an AuthorizedKeysCommand thing that fetches keys >> from active directory (ie, an ldap) so users can do key based auth > > and it sounds like you will be the only user... > > If we add this, we would need to document it. And worse, users would need to > read it. And it would sound cool, but then they'd struggle to set it up and > get frustrated. It is, in short, an "attractive nuisance". > > If bsd auth does not suit your needs, then I think that should be the place to > focus your efforts.
aww, the burn :( im pretty sure im not the only user of authorizedkeyscommand. it sort of came via redhat, and i think sunssh on solaris has a similar capability via weird shared libs. presumably people who run more than a couple of machines at home find this stuff useful. more importantly to me, i also got a private reply to my diff from someone who seemed keen on this on openbsd as they are current users of http://pamsshagentauth.sourceforge.net/ on other platforms. they also asked if id seen https://www.usenix.org/legacy/event/lisa08/tech/full_papers/burnside/burnside_html/index.html. the link above is pretty depressing for two reasons. we could have had this functionality in place nearly 20 years ago, and between 98 when that paper was written and 2000 when bsd_auth seems to have been brought into the openbsd tree, the environment masking was put in place that gets in the way of me implementing a bsd_auth ssh agent login script. just so im clear, we're not arguing about the general usefulness of being able to use an ssh agent for auth with doas? just how my diff did it? id like to be able to do it cos it would give us an alternative to implementing "tickets" to mitigate password requests. if the preference is to do it via bsd_auth instead of hardcoding it in doas, can i have a suggestion on what the least damaging way of implementing it would be? the easiest change would be to for bsd_auth to unconditionally copy SSH_AUTH_SOCK into the environment it calls the login script with. that could also be considered quite damaging though :( maybe whitelisting env vars in login.conf that can be passed to a login script by bsd_auth? dlg
