[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#595817: ITP: libpam-ssh-agent -- PAM module providing authentication via ssh-agent



> How is it different from libpam-ssh?

libpam-ssh lets you log into a local console (terminal, GDM, etc) with
an SSH passphrase that unlocks your local private key.  It then starts
an SSH agent and adds your key to it.

libpam-ssh-agent allows you to SSH to a machine with agent forwarding,
and use the agent to authorise PAM transactions, most notably sudo.
The upshot of this is that I can go:

  machine1:~$ ssh -A machine2
  machine2:~$ sudo su -
  machine2:/ #

I am not prompted for a password to sudo, because libpam-ssh-agent
authorises me against my forwarded agent.  If I do not have agent
forwarding, PAM will follow its usual chain of methods for asking for
a credential, generally asking for a password:

  machine1:~$ ssh machine2
  machine2:~$ sudo su -
  Password:

> How will it interact with ssh-agent which starts from Xsession.d/?

If you start your own SSH agent, and add your private key, a standard
configuration would be to use this PAM module to allow you to sudo
with your agent (no password), the same way you could then SSH to
other servers with your agent (no password).

Craig



Reply to: