{"id":13648603,"url":"https://github.com/z4yx/pam_rssh","last_synced_at":"2025-04-05T15:03:16.219Z","repository":{"id":37086780,"uuid":"455741287","full_name":"z4yx/pam_rssh","owner":"z4yx","description":"Remote sudo authenticated via ssh-agent","archived":false,"fork":false,"pushed_at":"2024-12-29T04:16:31.000Z","size":82,"stargazers_count":122,"open_issues_count":3,"forks_count":10,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-03-29T14:06:34.945Z","etag":null,"topics":["canokey","rust","ssh-agent","sudo","yubikey"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/z4yx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-05T00:56:46.000Z","updated_at":"2025-03-27T01:50:49.000Z","dependencies_parsed_at":"2024-01-14T10:59:27.074Z","dependency_job_id":"96a087c3-1439-4115-a731-7cf045339187","html_url":"https://github.com/z4yx/pam_rssh","commit_stats":{"total_commits":64,"total_committers":8,"mean_commits":8.0,"dds":0.234375,"last_synced_commit":"39997cd9d94723a83736dfe0ed55796ade1b0c74"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/z4yx%2Fpam_rssh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/z4yx%2Fpam_rssh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/z4yx%2Fpam_rssh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/z4yx%2Fpam_rssh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/z4yx","download_url":"https://codeload.github.com/z4yx/pam_rssh/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247353729,"owners_count":20925329,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["canokey","rust","ssh-agent","sudo","yubikey"],"created_at":"2024-08-02T01:04:22.957Z","updated_at":"2025-04-05T15:03:16.202Z","avatar_url":"https://github.com/z4yx.png","language":"Rust","funding_links":[],"categories":["Rust"],"sub_categories":[],"readme":"# PAM-RSSH\n\n[![Rust](https://github.com/z4yx/pam_rssh/actions/workflows/rust.yml/badge.svg)](https://github.com/z4yx/pam_rssh/actions/workflows/rust.yml)\n\nThis PAM module provides ssh-agent based authentication. The primary design goal is to avoid typing password when you `sudo` on remote servers. Instead, you can simply touch your hardware security key (e.g. Yubikey/Canokey) to fulfill user verification. The process is done by forwarding the remote authentication request to client-side ssh-agent as a signature request.\n\nThis project is developed in Rust language to minimize security flaws.\n\n## Development Status\n\nIt's ready for production use, and has been tested on production servers for over a year. More tests and feedback are welcome.\n\nCurrently supported SSH public key types:\n- RSA (with SHA256 digest)\n- DSA\n- ECDSA 256/384/521\n- ECDSA-SK (FIDO2/U2F)\n- ED25519\n- ED25519-SK (FIDO2)\n\n## Build and Install\n\nPrerequisites:\n\n- OpenSSL (\u003e=1.1.1) \n- libpam\n- Rust (with Cargo)\n\nClone this repo with **a submodule**.\n\n```\ngit clone --recurse-submodule https://github.com/z4yx/pam_rssh.git\ncd pam_rssh\n```\n\nThen build it using Cargo.\n\n```\ncargo build --release\ncp target/release/libpam_rssh.so \u003cpam module path\u003e\n```\n\n## `pam module path`\n\nThe module path is specific to certain distributions\n\n| OS           | Destination                         |\n| ------------ | ----------------------------------- |\n| Arch Linux   | `/usr/lib/security/`                |\n| Debian       | `/lib/x86_64-linux-gnu/security/`   |\n| openSUSE     | `/lib/security/`                    |\n\n## Config\n\nAdd the following line to `/etc/pam.d/sudo` (place it before existing rules):\n\n```\nauth sufficient libpam_rssh.so\n```\n\nThen edit sudoers with `visudo` command. Add the following line: (It makes `sudo` keep the environment variable, so this module can communicate with ssh-agent)\n```\nDefaults        env_keep += \"SSH_AUTH_SOCK\"\n```\n\n\nStart a ssh-agent on your client, then add your keys with `ssh-add`. \n\nTry to ssh to your server with forwarded agent (-A option), and make a `sudo` there. \n\n## Optional Arguments\n\nThe following arguments are supported:\n\n- `loglevel=\u003coff|error|warn|info|debug|trace\u003e` Select the level of messages logged to syslog. Defaults to `warn`.\n- `debug` Equivalent to `loglevel=debug`. \n- `ssh_agent_addr=\u003cIP:port or UNIX domain address\u003e` The address of ssh-agent. Defaults to the value of `SSH_AUTH_SOCK` environment variable, which is set by ssh automatically.\n- `auth_key_file=\u003cPath to authorized_keys\u003e` Public keys allowed for user authentication. Defaults to `\u003chome\u003e/.ssh/authorized_keys`. `\u003chome\u003e` is read from system configuration, usually it expands to `/home/\u003cusername\u003e`.\n- `authorized_keys_command=\u003cPath to command\u003e` A command to generate the authorized_keys. It takes a single argument, the username of the user being authenticated. The standard output of this command will be parsed as authorized_keys. The `auth_key_file` will be ignored if you specify this argument.\n- `authorized_keys_command_user=\u003cUsername\u003e` The `authorized_keys_command` will be run as the user specified here. If this argument is omitted, the `authorized_keys_command` will be run as the user being authenticated.\n- `cue` Enable device interaction prompt. When enabled, displays a message reminding the user to touch their device during authentication.\n- `[cue_prompt=\u003cmessage\u003e]` Set custom prompt message for device interaction. Default: \"Please touch the device\". Use square brackets to include spaces in the message.\n\nArguments should be appended to the PAM rule. For example:\n\n```\nauth sufficient libpam_rssh.so debug authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys authorized_keys_command_user=nobody cue [cue_prompt=long long prompt]\n```\n\n## Use Variables in Arguments\n\nCertain variables can be used in arguments. Supported formats are `$var`, `${var}` and `${var:default value}`. For example:\n\n```\nauth sufficient libpam_rssh.so auth_key_file=/data/${user}.keys\n```\n\nVariables are mapped to PAM items. Currently the following variables are available:\n\n- service: PAM_SERVICE. The service name (which identifies the PAM stack that will be used).\n- user: PAM_USER. The username of the entity under whose identity service will be given.\n- tty: PAM_TTY. The terminal name.\n- rhost: PAM_RHOST. The requesting hostname.\n- ruser: PAM_RUSER. The requesting entity.\n\nFor detailed description on PAM items, read man page pam_get_item(3).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fz4yx%2Fpam_rssh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fz4yx%2Fpam_rssh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fz4yx%2Fpam_rssh/lists"}