jbeverly / pam_ssh_agent_auth

Moving pam_ssh_agent_auth to github as primary development location
Other
99 stars 29 forks source link

Can the access to the SSH_AUTH_SOCK work within port forwarding? #10

Open bekkibobbek opened 6 years ago

bekkibobbek commented 6 years ago

I want to make use of that inside a port forwarding situation. So e.g. ssh user@host -L 1234:localhost:4321

User then wants to authenticate for localhost:1234. Is the host:4321 service capable of authenticating against SSH_AUTH_SOCK of that tunnel?

(is even clear what I'm trying to do?)

jbeverly commented 6 years ago

pam_ssh_agent_auth is a pam module like any other. So, if the service or utility running on localhost:4321 uses libpam, and its pam configuration uses pam_ssh_agent_auth then it will attempt to authenticate via whatever SSH_AUTH_SOCK path it has in its environment when pam_start begins.

So, if I understand your question correctly, and if you control the service on 4321 and the client connecting to it, what you could do is ssh -A -L 1234:localhost:4321 foo 'echo $SSH_AUTH_SOCK; while true; do sleep 1; done' and then have your client send that path of the forwarded ssh-agent Unix domain socket to localhost:1234 where your server could setenv("SSH_AUTH_SOCK", path) and start pam_start.

All that said; this would be rather convoluted, and if one user could guess the path of another users auth socket, they could masquerade authentication as that other user easily. There would not be any reliable way of ensuring the socket being authenticated for actually matched the auth socket. Also, things using pam typically need to run as root. For these reasons, if it was me, I would just have my custom client and server do authentication inline as part of their protocol. If I wanted to use ssh-agent, I'd just have my client send the signing requests to the local Unix domain socket as part of how it handles the authentication flow.

If you wanted to use an existing protocol, for example, http, then I would probably just rely on s_client auth or other supported mechanisms rather than trying to use ssh-agent.

If I have completely misunderstood your question, I apologize; let me know what you meant.

Thanks!