Support FIDO/U2F ecdsa-sk and ed25519-sk ssh keys

jbeverly / pam_ssh_agent_auth

Moving pam_ssh_agent_auth to github as primary development location

Other

98 stars 27 forks source link

Support FIDO/U2F ecdsa-sk and ed25519-sk ssh keys #23

Open srstsavage opened 4 years ago

srstsavage commented 4 years ago

Support for the new ecdsa-sk and ed25519-sk key types would be awesome.

virtualdxs commented 4 years ago

To help those Googling for this issue, here's the exact text of the error I get (which I'm fairly certain is caused by this issue):

pam_ssh_agent_auth: error: key_from_blob: remaining bytes in key blob 89

davex25 commented 4 years ago

I've been playing around with using pam_ssh_agent_auth for pam authentication of sudo over an ssh connection with my yubikey. Added KEY_ECDSA_SK type, and sk_application to the Key struct, and a few minor modifications later, pam_ssh_agent_auth now seems to be correctly requesting authentication from the client using the yubikey. Next thing I attempted was to handle ECDSA_SK signatures correctly, basing my changes on openssh ssh_ecdsa_sk_verify function implementation, but have not had success here so far.

But this is kind of reinventing the wheel, patching changes openssh project already got working into this very similar (but different enough) code base. Have also briefly investigated jbeverly's pam_ssh_agent_auth-2.0 fork of openssh-portable, since it would get SK key support "for free" with a rebase, but it looks like that project has a lot of catching-up to do.

cavokz commented 3 years ago

You might be interested in my implementation, see https://github.com/jbeverly/pam_ssh_agent_auth/issues/3.

davex25 commented 3 years ago

@cavokz Tried it out, appears to work perfectly for my yubikey use case above.

However your mailing list conversation is making me rethink whether this sudo use case makes sense to begin with.

cavokz commented 3 years ago

@davex25 What to do then if sshd is not there? Is using it as sudo replacement a reason good enough for installing and configuring it to listen on localhost only? I cannot answer, I usually install it quite early on a new machine.

JonasVautherin commented 1 year ago

I was looking into doing this (i.e. use my Yubikey to sudo over ssh), and then I realised that instead of going through the trouble of setting up the PAM module, I could just ssh to root when needed (quite obviously :sweat_smile:):

# ssh as user:
ssh user@server

# ssh as root:
ssh root@server

In the mailing list, somebody suggests that instead of doing this, it should be possible to set up the remote machine such that one can become root with:

ssh user@server # on the local machine
ssh -A localhost -l root # on the remote machine

@cavokz: did I understand this correctly?

cavokz commented 1 year ago

In the mailing list, somebody suggests that instead of doing this, it should be possible to set up the remote machine such that one can become root with:
ssh user@server # on the local machine
ssh -A localhost -l root # on the remote machine
@cavokz: did I understand this correctly?

I think so :)

katzeprior commented 4 months ago

Will this ever get updated? I can't use my yubikey since it doesn't recognize sk-ssh-ed25519 as a valid key_type_from_name.

Majiir commented 4 months ago

@katzeprior pam_ssh_agent_auth hasn't been maintained for a few years. In the meantime, you may be interested in pam_rssh which supports ed25519-sk keys.

jbeverly commented 4 months ago

Harsh, but fair. I would love assistance updating this project at some point, but I've not had time to really do much with this in quite a while.