[Nix-dev] PAM SSH agent auth question

Matt Explosion aldiyen at aldiyen.com
Tue Jan 13 22:52:41 CET 2015

Perhaps it should be made configurable (on a per service basis), with a
more secure/best-practice type default, so it can be overriden as needed?
I would be happy to make the necessary changes and make a pull request if

On 1/13/15, 8:26 AM, "Eelco Dolstra" <edolstra at gmail.com> wrote:

>On 13/01/15 05:00, aldiyen wrote:
>> Anyone know why the NixOS PAM config that gets generated when the
>> setting is set to true includes files owned by the user (within that
>>user's home
>> directory)?
>> It seems like this could be rather insecure, given that an attacker who
>> the ability to write files using the current user's permissions could
>> write new SSH keys into these authorized keys files and obtain access to
>> whatever services are configured to allow SSH agent-based authentication
>> (including, perhaps, su and/or sudo)
>> Would it make more sense to change this to reference only the
>> /etc/pam/authorized_keys.d/%u path?
>I'm inclined to agree, but it's worth noting that the use of user-owned
>authorized key files is sanctioned by the pam_ssh_agent_auth manpage:
>  http://pamsshagentauth.sourceforge.net/
>Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/
>nix-dev mailing list
>nix-dev at lists.science.uu.nl

More information about the nix-dev mailing list