[FR] Default socket path

[pallaswept]

Hi,

It's nice to see a more recently maintained alternative, thanks for that.

One problem with the original pam_ssh_agent_auth, as you are aware, is that the path to the agent socket must be set in the environment. Since sudo would normally clear the variable, we must modify sudo's configuration to leave the variable intact.

Unfortunately, this is not possible in some cases. Two examples are the Display Manager and PolicyKit. polkit provides pkexec, which provides gksu and kdesu, which provide root auth for GUI apps in Gnome and KDE DEs. In these cases, pam_ssh_agent_auth can not be used.

A PR exists to deal with this, by providing a default socket path in the pam configuration. I've been using this patch to get the plugin to work with KDE for some time now and it works very well, the author of the PR uses it for SDDM.

The maintenance state of pam_ssh_agent_auth is concerning so I'd like to try this as a replacement, but I would need a feature like this. I hope you'd be open to the idea?

Path variable expansion would be useful in conjunction with this, but I see from the readme that is already on your radar.

Thanks

[nresare]

Hi!

Thank you for bringing this to my attention. Let me have a look

[nresare]

There is a preliminary implementation on the https://github.com/nresare/pam-ssh-agent/commits/default_socket_path/ branch but I have not tested in any structured way yet.

[nresare]

I landed the feature after some successful casual testing and created v0.5.1. Please let me know if there is anything else you might need.

[pallaswept]

I landed the feature after some successful casual testing and created v0.5.1. Please let me know if there is anything else you might need.

Wow you're fast! You had it coded, tested and added before I could even find time to build it... before I even finished my first reply here! 😆 Thank you!

[nresare]

@pallaswept I'm currently looking at implementing the path expansion features, and I must admit that trying to look at the upstream code in pam_ssh_agent_auth to get an understanding of the details of the features was not a pleasant experience.

So I'm thinking that maybe it would make sense to start instead from looking at how the features are used. Are you using the various path expansions in any way and if so, how?

[pallaswept]

Yehhh that source code is pretty uhm....yeh, it's something isn't it? 😆
I already thought it was bad until I realised that there are currently at least three active forks of it in existence, too - this one, the florianfranzen 'one big cookie' fork that works with ed25519, and the fedora fork. So it's three times worse than it looks. The most confusing part is fedora's fork which builds as part of their openssh build... But at least it builds with GCC14

The whole thing has a vibe of "this is so broken it needs to be replaced". I feel like the value of your project here is not quite fully appreciated yet.

I do use the path expansion in that plugin, in the case of polkit:

> cat /etc/pam.d/polkit-1
#%PAM-1.0

auth     sufficient     pam_ssh_agent_auth.so file=/root/.ssh/authorized_keys_pam default_ssh_auth_sock=/run/user/%U/ssh-agent.socket
auth     include        /usr/lib/pam.d/polkit-1
account  include        /usr/lib/pam.d/polkit-1
password include        /usr/lib/pam.d/polkit-1
session  include        /usr/lib/pam.d/polkit-1

This is quite helpful, because by default, the ssh-agent socket is stored in /run/user/[UID]/ (I think this is because FHS says to put sockets there). Without the path expansion, I dealt with this by symlinking to the socket, but it's a bit messy that way.

Honestly, that's the only use-case I personally have for this. I did make use of %h and ~, when I didn't have %U provided by the above patchset. I guess some of the host name stuff might be useful for those doing this across a network. There are a few examples over at https://github.com/jbeverly/pam_ssh_agent_auth/blob/master/pam_ssh_agent_auth.pod#expansions that might be helpful?