[Nix-dev] PAM SSH agent auth question

aldiyen aldiyen at aldiyen.com
Tue Jan 13 05:00:58 CET 2015

Hey all,

Anyone know why the NixOS PAM config that gets generated when the sshAgentAuth setting is set to true includes files owned by the user (within that user's home directory)?

It seems like this could be rather insecure, given that an attacker who obtained the ability to write files using the current user's permissions could simply write new SSH keys into these authorized keys files and obtain access to whatever services are configured to allow SSH agent-based authentication (including, perhaps, su and/or sudo)

Would it make more sense to change this to reference only the /etc/pam/authorized_keys.d/%u path?

Kind regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150112/13c4cbf4/attachment-0001.html 

More information about the nix-dev mailing list