This one’s esoteric… but earnest.
Problem/Justification
ssh users could elevate our password hygiene if iX would preinstall pam_ssh_agent_auth.so.
(Or one of its recent up-and-coming successors, which could use more vetting.)
Impact
I don’t propose changing any policy, configuration, or UI. As far as I know, there should be no impact on FIPS compliance and (by default) no increase in attack surface.
User Story
I frequently ssh into my TrueNAS server from macOS, to run scripts and manipulate files.
Public key authentication allows me to do this safely and conveniently, without the downsides of passwords. And 1Password allows me to hide those keys behind TouchID biometric authorization.
Unfortunately, this doesn’t mean I can set a complex random passcode for my admin account. In practice, I still often need to satisfy sudo with a passphrase from muscle memory.
On my other Debian systems, I address this by installing the libpam-ssh-agent-auth package and adding minor policy tweaks under /etc/pam.d.
Now when I enter sudo in remote shells in those systems, 1Password prompts me client-side for TouchID approval. And those accounts now bear long, random, immemorable passcodes.
I don’t mind making the policy edits by hand, or via startup scripts. But I can’t add the necessary plugin to /usr/lib/x86_64-linux-gnu/security without the full impact of developer mode.
You wonderful stewards could do so.
Thanks for your consideration!