Open AlD opened 4 years ago
He, curious. The way this was implemented actually makes sense.
PAM_RUSER
or SUDO_USER
is supposed to be the "from" user. PAM_USER
is supposed to be the destination user. Having the destination user be the owner of authorized_keys_file
can make sense.
In reality however, when I invoke pam_ssh_agent_auth
from sudo on my Debian machine, ruser and user end up being the same, leading to the gaping security issue described above.
While I understand and appreciate the risk the option exposes, I also know that the organization that requested its addition had a valid usecases for it that composes with other Pam modules such as pam_listfile, and others. So while I would never encourage its use, and would certainly never enable it by default, I also wouldn't presume that it "has no reasonable use case" because I lack the omnipotence necessary to make that claim.
Is also note, just for anybody else reading this thread, the security hole, in the case of sudo, for example, is a reduction in security posture to an equivalent of using NOPASSWD in sudoers.
I'm not a fan of doing that either. But many seem to consider it a valid configuration.
Just to clarify: ruser
and user
both being set to the originating user is a bug, right? Maybe a sanity check should be added to pam_ssh_agent_auth to prevent this.
This was already perfectly explained in https://sourceforge.net/p/pamsshagentauth/bugs/21/, so I'll just quote it here: