pam_ssh

The Emergent Properties of Meat

Blog
Software
Hardware
About me
Photography
Logos

Bigger projects: emc2 & AXIS

Friends' pages:
Alex
Bill
Chris
Jon
Michael

« SOIC-8 to DIP adapter board | Newest entries in software | First Interesting Strobe Photo »

A console login mediated by pam_ssh

This is neat. pam_ssh "provides single sign-on behavior for SSH. The user types an SSH passphrase when logging in (probably to GDM, KDM, or XDM) and is authenticated if the passphrase successfully decrypts the user's SSH private key. In the PAM session phase, an ssh-agent process is started and keys are added. For the entire session, the user can SSH to other hosts that accept key authentication without typing any passwords."

The only snag I ran into on FC2 was that the script in /etc/X11/xdm/Xsession unconditionally started a fresh ssh-agent, even if $SSH_AGENT_PID was already set. I changed the SSHAGENT= line to read [ -x /usr/bin/ssh-agent && -z "$SSH_AGENT_PID" ] && SSHAGENT="/usr/bin/ssh-agent" and then everything worked. I'm now using it for console and gdm logins on one of my machines.

On FC2 I built the rpm from the tarball. It looks like FC4 has one available via yum.

Update 2006/01/09: I was having trouble with pam_ssh not leaving an ssh-agent running the next time I logged in after a crash (dead battery). I discovered that the problem was that leftover ~/.ssh/agent-* files would trick pam_ssh into thinking that an appropriate ssh-agent was already running. I now remove these files in /etc/rc.local when booting.

Entry first conceived on 18 December 2005, 3:49 UTC, last modified on 10 January 2006, 0:40 UTC

[æ]