[Nix-dev] PAM SSH agent auth question
Eelco Dolstra
edolstra at gmail.com
Tue Jan 13 14:26:18 CET 2015
Hi,
On 13/01/15 05:00, aldiyen wrote:
> Anyone know why the NixOS PAM config that gets generated when the sshAgentAuth
> setting is set to true includes files owned by the user (within that user's home
> directory)?
>
> It seems like this could be rather insecure, given that an attacker who obtained
> the ability to write files using the current user's permissions could simply
> write new SSH keys into these authorized keys files and obtain access to
> whatever services are configured to allow SSH agent-based authentication
> (including, perhaps, su and/or sudo)
>
> Would it make more sense to change this to reference only the
> /etc/pam/authorized_keys.d/%u path?
I'm inclined to agree, but it's worth noting that the use of user-owned
authorized key files is sanctioned by the pam_ssh_agent_auth manpage:
http://pamsshagentauth.sourceforge.net/
--
Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/
More information about the nix-dev
mailing list