1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
post_install() {
cat <<EOF
IMPORTANT SECURITY NOTE:
This PKGBUILD is packaging code whose status is rather unknown !
Since I do NOT maintain this code in any way, but merely
package it for Arch Linux, there is absolutely no warranty for
this code. It is totally possible that I got the wrong code repo
altogether and that it still contains open security bugs which
have already been fixed elsewhere.
A bit of background on why this PKGBUILD exists anyway:
As of 2017-01-27, the latest pam_ssh_agent_auth in AUR
(0.10.2-1 at https://aur.archlinux.org/packages/pam_ssh_agent_auth/)
as well as the latest upstream release (0.10.3, at
https://sourceforge.net/projects/pamsshagentauth/) both DO NOT support
any ECC ssh user keys (neither ECDSA nor ED25519 keys).
The issue is known on the official bugtracker
(https://sourceforge.net/p/pamsshagentauth/feature-requests/10/)
and quite a few people seem to look for this feature but the original
maintainer does not seem to get around to implementing it because
doing it cleanly requires a rebase to the current OpenSSH code base.
And that costs the volunteers' scarcest resource :)
However, digging a little deeper revealed this very promising discussion
between the original maintainer and a helper who claims to have ECC
support implemented:
https://sourceforge.net/p/pamsshagentauth/discussion/903801/thread/784a4a5c/
The link also mentions a Github repository which seems to be the
maintainer's replacement for SoureForge. Inspection of the repo
showed that some work did in fact go into ECC support as well as
the incorporation of a pull request by the aforementioned helper.
Unfortunately, it is also using another Github project as a submodule
which introduces an additional dependency (one the original maintainer
does not seem to be too fond of, judging by the commit message)
Depending on your security sensitivity and awareness, those are a
lot of "seems" for a PAM module :)
To summerize, on the downside you have
1. A git repo which seems to be the next official development repo
but wasn't officially announced as such anywhere
2. Code in the master branch with an unknown status regarding
stability or feature completeness
3. No statement by the maintainer as to the future of the repo (or
what looks like the "replacement repo's replacement" on Github
"pam_ssh_agent_auth-2.0"
4. A hard dependency on another Git repo
On the upside, the only thing this code has going for it is
1. ED22519 key support seems to work just fine (and ECDSA should be
there but I didn't test it)
That last point is honestly the ONLY reason why you might want to
prefer this PKGBUILD over the non-Git one in AUR or the officially
released versions. If you are hard pressed to support ECC user keys
in your SSH setup, give this a shot, but keep in mind, this PKGBUILD
is even more experimental than usual for the background given above.
I am providing all of this information here hoping to give you a
better chance at taking an educated decision whether this PKGBUILD
is right for you or not.
Feel free to verify or add to this information (via the comment section),
I will gladly incorporate it. I am planning to keep an eye on both the
other AUR pam_ssh_agent_auth PKGBUILD as well as the upstream development.
Maybe this PKGBUILD will be obsolete soon, there was some development
activity in recent months.
USE THIS PKGBUILD AT YOUR OWN RISK AND ONLY IF YOU FULLY
UNDERSTAND THE SECURITY IMPLICATIONS OF NOT USING THE OFFICIALLY
ANNOUNCED pam_ssh_agent_auth CODE BASE !
Consider yourself warned.
If security is paramount for you or in case of any doubt,
please use the official pam_ssh_agent_auth code base instead.
EOF
}
post_upgrade() {
post_install
}
|