File pam-ssh-agent.spec of Package pam-ssh-agent

#
# spec file for package pam-ssh-agent
#
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#


#%%global build_rustflags %%build_rustflags -C debuginfo=0
Name:           pam-ssh-agent
Version:        0.9.5+git20251017.6158b51
Release:        0
Summary:        A PAM module that authenticates using the ssh-agent
License:        Apache-2.0 AND MIT
URL:            https://github.com/nresare/pam-ssh-agent
Source0:        %{name}-%{version}.tar.gz
Source1:        vendor.tar.zst
BuildRequires:  cargo
BuildRequires:  cargo-packaging
BuildRequires:  git-core
BuildRequires:  pam-devel
BuildRequires:  rust

%description
The goal of this project is to provide a PAM authentication module determining
the identity of a user based on a signature request and response sent via the
ssh-agent protocol to a potentially remote ssh-agent.

One scenario that this module can be used in is to grant escalated privileges
on a remote system accessed using ssh with agent forwarding enabled and the
sudo command. The user proves their identity by signing a challenge using their
private key, and the signature is verified using a public key made available
to the pam-ssh-agent module on the server. Combined with a setup where the
private part of an authentication keypair is stored in custom hardware such as
a YubiKey, a TPM chip, or the macOS secure enclave, this can provide a high
level of security as well as convenience. I use the Secretive app on macOS for
this purpose.

This project is re-implementation of the pam_ssh_agent_auth module but does
not share any code with that project. We are pretty close to covering all the
features of the original implementation, along with some additional features
such as SSH Certificate based authentication.

%prep
%autosetup -a1

%build
%{cargo_build}

%install
install -Dm 755 target/release/libpam_ssh_agent.so %{buildroot}%{_pam_moduledir}/libpam_ssh_agent.so

%files
%license LICENSE-MIT LICENSE-APACHE
%doc README.md
%{_pam_moduledir}/libpam_ssh_agent.so

%changelog