Feature request: pam_ssh_agent_auth: Support ed25519-sk

NixOS / nixpkgs

Nix Packages collection & NixOS

MIT License

17.48k stars 13.67k forks source link

Feature request: pam_ssh_agent_auth: Support ed25519-sk #195942

Open duament opened 1 year ago

duament commented 1 year ago

Fedora has a series of patches for building pam_ssh_agent_auth together with openssh, which support ed25519-sk (FIDO security key).

Could we use these patches in NixOS?

tomodachi94 commented 4 months ago

Pinging package maintainer @edolstra

master-hax commented 1 month ago

+1 ed25519-sk keys are not working for me

duament commented 1 month ago

@master-hax I'm now using pam_rssh. It works perfectly except it lacks a nixos module.

Here's my config:

security.pam.services.sudo.text = lib.mkDefault (lib.mkBefore ''
  auth sufficient ${pkgs.pam_rssh}/lib/libpam_rssh.so auth_key_file=/etc/ssh/authorized_keys.d/rvfg
'');
security.sudo.extraConfig = ''
  Defaults env_keep+=SSH_AUTH_SOCK
'';

I guess we may close this issue since the upstream is unmaintained for years.

master-hax commented 1 month ago

thanks @duament! the weird thing is, there is a build flag withFIDO on the openssh package that seems to be enabled by default - i don't understand why it doesn't work

duament commented 1 month ago

the weird thing is, there is a build flag withFIDO on the openssh package that seems to be enabled by default - i don't understand why it doesn't work

pam_ssh_agent_auth doesn't link to openssh. Instead, their repo contains some very old openssh source files. So it has nothing to do with the openssh package in nixpkgs.

master-hax commented 1 month ago

ah got it! this is interesting, i would like to stop using passwords entirely.

(also i got ed25519-sk working without PAM)