Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pam-sshagent: only allow managed SSH keys #32178

Closed
wants to merge 1 commit into from
Closed

pam-sshagent: only allow managed SSH keys #32178

wants to merge 1 commit into from

Conversation

wmertens
Copy link
Contributor

@wmertens wmertens commented Nov 29, 2017
edited
Loading

[Breaking change]

Fixes #31611. If people have self-managed SSH keys in ~/.ssh, they will no longer be able to use those to get sudo access.

Update: This needs to be made configurable first, see the comment below. Basically, enable it if openssh non-managed keys are enabled, and allow overriding?

@wmertens wmertens mentioned this pull request Nov 29, 2017
Closed
@GrahamcOfBorg GrahamcOfBorg added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Nov 29, 2017
@sometimes-i-send-pull-requests
Copy link

As I mentioned in #31611, I currently depend on the behavior as-is, so I would like this to be configurable. I also don't think the configuration being as it is now was an unintentional introduction, since it must have taken some work for @edolstra to come up with 3644f91 in the first place, which was necessary for this to work at all. I would be much happier with this patch if:

  • It were an controlled by an option
  • Whether or not OpenSSH obeys non-managed keys were also an option
  • This option controlling pam_ssh_agent_auth defaulted to the value of the OpenSSH option

It's probably best if these both default to the more secure option, but it would be good to be consistent. What do you think?

@fpletz fpletz added the 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS label Mar 4, 2018
@matthewbauer matthewbauer deleted the pam-ssh-security branch April 13, 2018 02:41
@wmertens
Copy link
Contributor Author

@matthewbauer ???

@matthewbauer matthewbauer restored the pam-ssh-security branch April 13, 2018 04:21
@matthewbauer matthewbauer reopened this Apr 13, 2018
@matthewbauer
Copy link
Member

matthewbauer commented Apr 13, 2018
edited
Loading

Sorry, I thought I was deleting branches on my own fork.

@GrahamcOfBorg GrahamcOfBorg added the 8.has: module (update) This PR changes an existing module in `nixos/` label Apr 13, 2018
@zimbatm
Copy link
Member

zimbatm commented Oct 21, 2018

Let's get this merged. Any objections?

@zimbatm
Copy link
Member

zimbatm commented Oct 21, 2018

Reading #31611 (comment) I think this should be made configurable actually.

@bricewge bricewge mentioned this pull request May 31, 2019
Closed
10 tasks
@fpletz
Copy link
Member

fpletz commented Jun 2, 2019

I would say we go with #62317 to make it configurable properly. Thanks!

@fpletz fpletz closed this Jun 2, 2019
@fpletz fpletz deleted the pam-ssh-security branch June 2, 2019 17:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

pam_ssh_agent_auth allowing users to define own ssh pubkey
6 participants
@wmertens @sometimes-i-send-pull-requests @matthewbauer @zimbatm @fpletz @GrahamcOfBorg