security/pam_rssh: New port

This PAM module provides ssh-agent based authentication. The primary design goal is to avoid typing password when you sudo on remote servers. Instead, you can simply touch your hardware security key (e.g. Yubikey/Canokey) to fulfill user verification. The process is done by forwarding the remote authentication request to client-side ssh-agent as a signature request.
freebsd · Mar 20, 2023 · d856093 · d856093
1 parent 502fa56
commit d856093
Show file tree

Hide file tree

Showing 4 changed files with 146 additions and 0 deletions.
diff --git a/security/Makefile b/security/Makefile
@@ -732,6 +732,7 @@
     SUBDIR += pam_pkcs11
     SUBDIR += pam_pwdfile
     SUBDIR += pam_require
+    SUBDIR += pam_rssh
     SUBDIR += pam_script
     SUBDIR += pam_search_list
     SUBDIR += pam_ssh_agent_auth

diff --git a/security/pam_rssh/Makefile b/security/pam_rssh/Makefile
@@ -0,0 +1,63 @@
+PORTNAME=	pam_rssh
+DISTVERSIONPREFIX=v
+DISTVERSION=	1.0.0-rc1
+CATEGORIES=	security
+
+MAINTAINER=	romain@FreeBSD.org
+COMMENT=	Remote sudo authenticated via ssh-agent
+WWW=		https://github.com/z4yx/pam_rssh
+
+LICENSE=	MIT
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+USES=		cargo ssl
+USE_GITHUB=	yes
+
+GH_ACCOUNT=	z4yx
+GH_PROJECT=	ssh-agent.rs:sshagent
+GH_TAGNAME=	91894139966e01941f17386a84c6b35e6ea155b8:sshagent
+GH_SUBDIR=	dep/ssh-agent.rs:sshagent
+
+CARGO_CRATES=	autocfg-1.1.0 \
+		base64-0.13.1 \
+		bitflags-1.3.2 \
+		byteorder-1.4.3 \
+		cc-1.0.78 \
+		cfg-if-1.0.0 \
+		error-chain-0.12.4 \
+		foreign-types-0.3.2 \
+		foreign-types-shared-0.1.1 \
+		futures-0.1.31 \
+		libc-0.2.139 \
+		log-0.4.17 \
+		multisock-1.0.0 \
+		once_cell-1.17.0 \
+		openssl-0.10.45 \
+		openssl-macros-0.1.0 \
+		openssl-sys-0.9.80 \
+		pam-bindings-0.1.1 \
+		pkg-config-0.3.26 \
+		proc-macro2-1.0.49 \
+		pwd-1.4.0 \
+		quote-1.0.23 \
+		serde-1.0.152 \
+		serde_derive-1.0.152 \
+		syn-1.0.107 \
+		syslog-5.0.0 \
+		thiserror-1.0.38 \
+		thiserror-impl-1.0.38 \
+		time-0.1.45 \
+		unicode-ident-1.0.6 \
+		vcpkg-0.2.15 \
+		version_check-0.9.4 \
+		wasi-0.10.0+wasi-snapshot-preview1 \
+		winapi-0.3.9 \
+		winapi-i686-pc-windows-gnu-0.4.0 \
+		winapi-x86_64-pc-windows-gnu-0.4.0
+
+PLIST_FILES=	lib/pam_rssh.so
+
+do-install:
+	${INSTALL_LIB} ${CARGO_TARGET_DIR}/${CARGO_BUILD_TARGET}/release/libpam_rssh.so ${STAGEDIR}${PREFIX}/lib/pam_rssh.so
+
+.include <bsd.port.mk>
diff --git a/security/pam_rssh/distinfo b/security/pam_rssh/distinfo
@@ -0,0 +1,77 @@
+TIMESTAMP = 1679275918
+SHA256 (rust/crates/autocfg-1.1.0.crate) = d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa
+SIZE (rust/crates/autocfg-1.1.0.crate) = 13272
+SHA256 (rust/crates/base64-0.13.1.crate) = 9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8
+SIZE (rust/crates/base64-0.13.1.crate) = 61002
+SHA256 (rust/crates/bitflags-1.3.2.crate) = bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a
+SIZE (rust/crates/bitflags-1.3.2.crate) = 23021
+SHA256 (rust/crates/byteorder-1.4.3.crate) = 14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610
+SIZE (rust/crates/byteorder-1.4.3.crate) = 22512
+SHA256 (rust/crates/cc-1.0.78.crate) = a20104e2335ce8a659d6dd92a51a767a0c062599c73b343fd152cb401e828c3d
+SIZE (rust/crates/cc-1.0.78.crate) = 61375
+SHA256 (rust/crates/cfg-if-1.0.0.crate) = baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd
+SIZE (rust/crates/cfg-if-1.0.0.crate) = 7934
+SHA256 (rust/crates/error-chain-0.12.4.crate) = 2d2f06b9cac1506ece98fe3231e3cc9c4410ec3d5b1f24ae1c8946f0742cdefc
+SIZE (rust/crates/error-chain-0.12.4.crate) = 29274
+SHA256 (rust/crates/foreign-types-0.3.2.crate) = f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1
+SIZE (rust/crates/foreign-types-0.3.2.crate) = 7504
+SHA256 (rust/crates/foreign-types-shared-0.1.1.crate) = 00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b
+SIZE (rust/crates/foreign-types-shared-0.1.1.crate) = 5672
+SHA256 (rust/crates/futures-0.1.31.crate) = 3a471a38ef8ed83cd6e40aa59c1ffe17db6855c18e3604d9c4ed8c08ebc28678
+SIZE (rust/crates/futures-0.1.31.crate) = 157731
+SHA256 (rust/crates/libc-0.2.139.crate) = 201de327520df007757c1f0adce6e827fe8562fbc28bfd9c15571c66ca1f5f79
+SIZE (rust/crates/libc-0.2.139.crate) = 638983
+SHA256 (rust/crates/log-0.4.17.crate) = abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e
+SIZE (rust/crates/log-0.4.17.crate) = 38028
+SHA256 (rust/crates/multisock-1.0.0.crate) = 09b00b95a51f8573ee359668dfbfed424212dd0fc74df2333816fddff856f342
+SIZE (rust/crates/multisock-1.0.0.crate) = 4643
+SHA256 (rust/crates/once_cell-1.17.0.crate) = 6f61fba1741ea2b3d6a1e3178721804bb716a68a6aeba1149b5d52e3d464ea66
+SIZE (rust/crates/once_cell-1.17.0.crate) = 32736
+SHA256 (rust/crates/openssl-0.10.45.crate) = b102428fd03bc5edf97f62620f7298614c45cedf287c271e7ed450bbaf83f2e1
+SIZE (rust/crates/openssl-0.10.45.crate) = 234763
+SHA256 (rust/crates/openssl-macros-0.1.0.crate) = b501e44f11665960c7e7fcf062c7d96a14ade4aa98116c004b2e37b5be7d736c
+SIZE (rust/crates/openssl-macros-0.1.0.crate) = 5566
+SHA256 (rust/crates/openssl-sys-0.9.80.crate) = 23bbbf7854cd45b83958ebe919f0e8e516793727652e27fda10a8384cfc790b7
+SIZE (rust/crates/openssl-sys-0.9.80.crate) = 61687
+SHA256 (rust/crates/pam-bindings-0.1.1.crate) = 95c337e922acb6ab9c3ddd1016fed13957a5bf14f51b6caa293ddc8dd47660ca
+SIZE (rust/crates/pam-bindings-0.1.1.crate) = 6829
+SHA256 (rust/crates/pkg-config-0.3.26.crate) = 6ac9a59f73473f1b8d852421e59e64809f025994837ef743615c6d0c5b305160
+SIZE (rust/crates/pkg-config-0.3.26.crate) = 18662
+SHA256 (rust/crates/proc-macro2-1.0.49.crate) = 57a8eca9f9c4ffde41714334dee777596264c7825420f521abc92b5b5deb63a5
+SIZE (rust/crates/proc-macro2-1.0.49.crate) = 41977
+SHA256 (rust/crates/pwd-1.4.0.crate) = 72c71c0c79b9701efe4e1e4b563b2016dd4ee789eb99badcb09d61ac4b92e4a2
+SIZE (rust/crates/pwd-1.4.0.crate) = 4145
+SHA256 (rust/crates/quote-1.0.23.crate) = 8856d8364d252a14d474036ea1358d63c9e6965c8e5c1885c18f73d70bff9c7b
+SIZE (rust/crates/quote-1.0.23.crate) = 28058
+SHA256 (rust/crates/serde-1.0.152.crate) = bb7d1f0d3021d347a83e556fc4683dea2ea09d87bccdf88ff5c12545d89d5efb
+SIZE (rust/crates/serde-1.0.152.crate) = 77091
+SHA256 (rust/crates/serde_derive-1.0.152.crate) = af487d118eecd09402d70a5d72551860e788df87b464af30e5ea6a38c75c541e
+SIZE (rust/crates/serde_derive-1.0.152.crate) = 55586
+SHA256 (rust/crates/syn-1.0.107.crate) = 1f4064b5b16e03ae50984a5a8ed5d4f8803e6bc1fd170a3cda91a1be4b18e3f5
+SIZE (rust/crates/syn-1.0.107.crate) = 237539
+SHA256 (rust/crates/syslog-5.0.0.crate) = 9a5d8ef1b679c07976f3ee336a436453760c470f54b5e7237556728b8589515d
+SIZE (rust/crates/syslog-5.0.0.crate) = 9014
+SHA256 (rust/crates/thiserror-1.0.38.crate) = 6a9cd18aa97d5c45c6603caea1da6628790b37f7a34b6ca89522331c5180fed0
+SIZE (rust/crates/thiserror-1.0.38.crate) = 18947
+SHA256 (rust/crates/thiserror-impl-1.0.38.crate) = 1fb327af4685e4d03fa8cbcf1716380da910eeb2bb8be417e7f9fd3fb164f36f
+SIZE (rust/crates/thiserror-impl-1.0.38.crate) = 15429
+SHA256 (rust/crates/time-0.1.45.crate) = 1b797afad3f312d1c66a56d11d0316f916356d11bd158fbc6ca6389ff6bf805a
+SIZE (rust/crates/time-0.1.45.crate) = 28911
+SHA256 (rust/crates/unicode-ident-1.0.6.crate) = 84a22b9f218b40614adcb3f4ff08b703773ad44fa9423e4e0d346d5db86e4ebc
+SIZE (rust/crates/unicode-ident-1.0.6.crate) = 42158
+SHA256 (rust/crates/vcpkg-0.2.15.crate) = accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426
+SIZE (rust/crates/vcpkg-0.2.15.crate) = 228735
+SHA256 (rust/crates/version_check-0.9.4.crate) = 49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f
+SIZE (rust/crates/version_check-0.9.4.crate) = 14895
+SHA256 (rust/crates/wasi-0.10.0+wasi-snapshot-preview1.crate) = 1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f
+SIZE (rust/crates/wasi-0.10.0+wasi-snapshot-preview1.crate) = 26964
+SHA256 (rust/crates/winapi-0.3.9.crate) = 5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419
+SIZE (rust/crates/winapi-0.3.9.crate) = 1200382
+SHA256 (rust/crates/winapi-i686-pc-windows-gnu-0.4.0.crate) = ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6
+SIZE (rust/crates/winapi-i686-pc-windows-gnu-0.4.0.crate) = 2918815
+SHA256 (rust/crates/winapi-x86_64-pc-windows-gnu-0.4.0.crate) = 712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f
+SIZE (rust/crates/winapi-x86_64-pc-windows-gnu-0.4.0.crate) = 2947998
+SHA256 (z4yx-pam_rssh-v1.0.0-rc1_GH0.tar.gz) = 8228ae7a2afccd141c1f2a19f942fb1cb3b5dc0032136553d289d781d4cb1500
+SIZE (z4yx-pam_rssh-v1.0.0-rc1_GH0.tar.gz) = 12458
+SHA256 (z4yx-ssh-agent.rs-91894139966e01941f17386a84c6b35e6ea155b8_GH0.tar.gz) = 3cdf7be1161d8afd499c5f43779eb188bb255c5981be268a300dfd229e218259
+SIZE (z4yx-ssh-agent.rs-91894139966e01941f17386a84c6b35e6ea155b8_GH0.tar.gz) = 13221
diff --git a/security/pam_rssh/pkg-descr b/security/pam_rssh/pkg-descr
@@ -0,0 +1,5 @@
+This PAM module provides ssh-agent based authentication. The primary design
+goal is to avoid typing password when you sudo on remote servers. Instead, you
+can simply touch your hardware security key (e.g. Yubikey/Canokey) to fulfill
+user verification. The process is done by forwarding the remote authentication
+request to client-side ssh-agent as a signature request.