[Nix-dev] PAM SSH agent auth question

Eelco Dolstra edolstra at gmail.com
Tue Jan 13 14:26:18 CET 2015


On 13/01/15 05:00, aldiyen wrote:

> Anyone know why the NixOS PAM config that gets generated when the sshAgentAuth
> setting is set to true includes files owned by the user (within that user's home
> directory)?
> It seems like this could be rather insecure, given that an attacker who obtained
> the ability to write files using the current user's permissions could simply
> write new SSH keys into these authorized keys files and obtain access to
> whatever services are configured to allow SSH agent-based authentication
> (including, perhaps, su and/or sudo)
> Would it make more sense to change this to reference only the
> /etc/pam/authorized_keys.d/%u path?

I'm inclined to agree, but it's worth noting that the use of user-owned
authorized key files is sanctioned by the pam_ssh_agent_auth manpage:


Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/

More information about the nix-dev mailing list