pam_ssh_agent_auth 0.5 released

pam_ssh_agent_auth is a PAM module which permits authentication via ssh-agent.

Release 0.5 is functionally stable, and has been tested on NetBSD, FreeBSD, Solaris, RHEL4, RHEL5, Debian Etch, Debian Lenny, Ubuntu LTS (8.04), Ubunto 8.10, and MacOS X.

Every effort has been taken to ensure that this module is safe, but you should use with caution, as this is still beta software. While this module can be used with any service that supports PAM, it was written with the intention of permitting authenticated sudo without password entry.

It serves as middle ground between the two most common, and suboptimal alternatives for cluster administration: allowing root login via ssh, or using NOPASSWD in sudoers. This module allows public-key authentication, and it does this by leveraging an authentication mechanism you are probably already using, ssh-agent.

There are caveats of course, ssh-agent forwarding has it’s own security risks which must be carefully considered for your environment. In cases where there are not untrustworthy intermediate servers, and you wish to retain traceability, accountability, and required authentication for privileged command invocation, the benefits should outweigh the risks. Release 0.5 can be downloaded from SourceForge: https://sourceforge.net/project/showfiles.php?group_id=249556

If you encounter any issues with usability or security, please use the project’s SourceForge tracker: https://sourceforge.net/tracker2/?group_id=249556&atid=1126337

Note that if you wish to use this for sudo, you will need a version of sudo that doesn't have a down-stream patch that cleans the environment prior to pam dlopen calls. For instance, on debian/ubuntu 1.6.9 works (1.6.8p12-1 does not); on RHEL, 1.6.7 or later works); on Darwin, I think any pristine source should work, but I've only tried 1.7