pam_ssh_agent_auth / Feature Requests / #6 support command in authorized

#6 support command in authorized_keys

Milestone: None

Status: wont-fix

Owner: nobody

Labels: None

Priority: 5

Updated: 2014-03-22

Created: 2013-11-07

Creator: Robert Story

Private: No

I would feel better about using pam_ssh_agent_auth for unattended automated scripts that use sudo on remote hosts if I could use command=/bin/blah (like ssh does) to restrict what command can be run. If the command doesn't match, then pam would continue to traverse the pam stack.

It would also be great if timestamp_timeout could be set per command instead of globally in sudoers, so that running the allowed command could not be used to set the time and allow other commands to be run without a password.

Not sure if either it technically feasable, but it would be great if they were!

Discussion

jbeverly - 2014-03-22

Unfortunately, pam has no insight itself into what the user is attempting to do during authentication, only whether or not they can "prove" they are who they claim to be. You would probably be better served by letting sudo handle the authorization piece, and let this module handle the authentication piece.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

jbeverly - 2014-03-22

status: open --> closed-fixed

Group: -->
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

jbeverly - 2014-03-22

status: closed-fixed --> wont-fix
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

support command in authorized_keys

Group

Searches

Help

#6 support command in authorized_keys

Discussion