2004-09-11 · in Ideas · 103 words

The su command on most systems requires the user to supply a password to switch to another user's identity. However, it's quite often useful to authenticate yourself using public-key encryption instead; for instance, when logging in over SSH or SSL, or when you're using a keyring manager to securely control use of keys already.

It may be possible to make su perform public-key authentication using a PAM module. This would allow an entirely unprivileged SSH server to be written that just deferred to su to start users' processes, or to use a forwarded ssh-agent connection to use authentication information from a remote machine.