{"id":13693993,"url":"https://github.com/uber/pam-ussh","last_synced_at":"2025-06-11T17:40:05.662Z","repository":{"id":17166926,"uuid":"80413903","full_name":"uber/pam-ussh","owner":"uber","description":"uber's ssh certificate pam module","archived":false,"fork":false,"pushed_at":"2023-03-19T22:59:35.000Z","size":19,"stargazers_count":832,"open_issues_count":16,"forks_count":79,"subscribers_count":2153,"default_branch":"master","last_synced_at":"2024-05-09T07:59:26.547Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/uber.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2017-01-30T11:01:29.000Z","updated_at":"2024-05-09T01:12:55.000Z","dependencies_parsed_at":"2023-01-11T20:26:01.475Z","dependency_job_id":"404719a6-8e65-4263-986e-ddde971c45b5","html_url":"https://github.com/uber/pam-ussh","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uber%2Fpam-ussh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uber%2Fpam-ussh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uber%2Fpam-ussh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uber%2Fpam-ussh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/uber","download_url":"https://codeload.github.com/uber/pam-ussh/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224346154,"owners_count":17296159,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T17:01:22.002Z","updated_at":"2024-11-12T20:31:00.209Z","avatar_url":"https://github.com/uber.png","language":"Go","readme":"Uber's SSH certificate pam module.\n\nThis is a pam module that will authenticate a user based on them having an ssh certificate in\ntheir ssh-agent signed by a specified ssh CA. \n\nThis is primarily intended as an authentication module for sudo. Using it for something else \nmay be unsafe (we haven't tested it anyway). We'd be happy to learn of other potential uses though.\n\nAn example usage would be you ssh to a remote machine and sshd authenticates you (probably \nusing your ssh cert, because if you're using it for this, you're probably using it for sshd \nas well). At that point when you want to run a command that requires authentication (eg. \n`sudo`), you can use pam-ussh for authentication.\n\nWorks on linux and osx. BSD doesn't work because go doesn't (yet) support `buildmode=c-shared`\non bsd.\n\nBuilding:\n\n1. clone the repo and run 'make'\n```\n  $ git clone github.com/uber/pam-ussh\n\n  ...\n\n  $ make\n  mkdir -p /home/pmoody/tmp/pam-ussh/.go/src\n  GOPATH=/home/pmoody/tmp/pam-ussh/.go go get golang.org/x/crypto/ssh\n  GOPATH=/home/pmoody/tmp/pam-ussh/.go go get golang.org/x/crypto/ssh/agent\n  GOPATH=/home/pmoody/tmp/pam-ussh/.go go get github.com/stretchr/testify/require\n  GOPATH=/home/pmoody/tmp/pam-ussh/.go go test -cover\n  PASS\n  coverage: 71.8% of statements\n  ok  \t_/home/pmoody/tmp/pam-ussh\t0.205s\n  GOPATH=/home/pmoody/tmp/pam-ussh/.go go build -buildmode=c-shared -o pam_ussh.so\n\n  $\n```\n\nUsage:\n\n1. put this pam module where ever pam modules live on your system, eg. `/lib/security`\n\n2. add it as an authentication method, eg.\n\n```\n  $ grep auth /etc/pam.d/sudo\n  auth [success=1 default=ignore] /lib/security/pam_ussh.so\n  auth requisite                  pam_deny.so\n  auth required                   pam_permit.so\n```\n\n3. make sure your SSH_AUTH_SOCK is available where you want to use this (eg. ssh -A user@host)\n\nRuntime configuration options:\n* `ca_file` - string, the path to your TrustedUserCAKeys file, default `/etc/ssh/trusted_user_ca`.\n  This is the pubkey that signs your user certificates.\n\n* `authorized_principals` - string, comma separated list of authorized principals, default `\"\"`.\n  If set, the user needs to have a principal in this list in order to use this module. If\n  this and `authorized_principals_file` are both set, only the last option listed is checked.\n\n* `authorized_principals_file` - string, path to an authorized_principals file, default `\"\"`.\n  If set, users need to have a principal listed in this file in order to use this module.\n  If this and `authorized_principals` are both set, only the last option listed is checked.\n\n* `group` - string, default, `\"\"`\n  If set, the user needs to be a member of this group in order to use this module.\n\n\nExample configuration:\n\nthe following looks for a certificate on $SSH_AUTH_SOCK that have been signed by user_ca. Additionally,\nthe user needs to have a principal on the certificate that's listed in /etc/ssh/root_authorized_principals\n\n```\nauth [success=1 default=ignore] /lib/security/pam_ussh.so ca_file=/etc/ssh/user_ca authorized_principals_file=/etc/ssh/root_authorized_principals\n```\n\nFAQ:\n\n* How do I report a security issue?\n  - Please report security issues at the [hackerone bug bounty page](https://hackerone.com/uber) and the bugbounty folks will determine bounty eligibility\n\n* does this work with non-certificate ssh-keys?\n  - No, not at the moment. \n  - There's no reason it can't though, we just didn't need it to do that so I never added the functionality\n\n* why aren't you using $DEP_SYSTEM?\n  - We didn't need to so we didn't bother\n\n* can you make it do $X?\n  - Submit a feature request, or better yet a pull request\n\n\nInformation on ssh certificates:\n* http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD\n* https://blog.habets.se/2011/07/OpenSSH-certificates.html\n","funding_links":[],"categories":["开源类库","Go","Open source library","SSH"],"sub_categories":["Auth"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fuber%2Fpam-ussh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fuber%2Fpam-ussh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fuber%2Fpam-ussh/lists"}