2005-12-18T03:49:33Z Photos, electronics, cnc, and more Jeff Eplerjepler@unpythonic.net 2005-12-18T03:49:33Z 2005-12-18T03:49:33Z http://emergent.unpythonic.net/software/01134877773 <div style="float:right;clear:right"><!-- pam-ssh.png--><div class=albumouter style=width:306px id=><div class=albumimage style="width:306px;margin-left:0px;"><img src="http://media.unpythonic.net/emergent-files/software/01134877773/pam-ssh.png"><br><span>A console login mediated by pam_ssh</span></div></div> </div> This is neat. <a href="http://pam-ssh.sourceforge.net/">pam_ssh</a> &quot;provides single sign-on behavior for SSH. The user types an SSH passphrase when logging in (probably to GDM, KDM, or XDM) and is authenticated if the passphrase successfully decrypts the user's SSH private key. In the PAM session phase, an ssh-agent process is started and keys are added. For the entire session, the user can SSH to other hosts that accept key authentication without typing any passwords.&quot; <p>The only snag I ran into on FC2 was that the script in <tt> /etc/X11/xdm/Xsession</tt> unconditionally started a fresh ssh-agent, even if <tt> $SSH_AGENT_PID</tt> was already set. I changed the SSHAGENT= line to read <span class=indent><tt>[ -x /usr/bin/ssh-agent &amp;&amp; -z &quot;$SSH_AGENT_PID&quot; ] &amp;&amp; SSHAGENT=&quot;/usr/bin/ssh-agent&quot;</tt></span> and then everything worked. I'm now using it for console and gdm logins on one of my machines. <p>On FC2 I built the rpm from the tarball. It looks like FC4 has one available via yum. <p><b>Update 2006/01/09:</b> I was having trouble with pam_ssh not leaving an ssh-agent running the next time I logged in after a crash (dead battery). I discovered that the problem was that leftover <tt>~/.ssh/agent-*</tt> files would trick pam_ssh into thinking that an appropriate ssh-agent was already running. I now remove these files in /etc/rc.local when booting.