Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

searching for pam_ssh_agent howto
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
feffi
Apprentice
Apprentice


Joined: 29 Mar 2003
Posts: 216
Location: Sol->Earth->Germany->Giessen
PostPosted: Tue Mar 08, 2005 11:52 pm    Post subject: searching for pam_ssh_agent howto Reply with quote
Hi folks,
anybody into pam_ssh_agent? Has anybody made a successfull setup? I'm trying to spawn an agent before KDE and pam_ssh_agent seem to be perfect? Any help or a good fingerpoint at a tutorial would be very nice :)
_________________
have fun

feffi

/(bb|[^b]{2})/ that is the Question!

Gentoo-Wiki: Acer Travelmate 803 LCi manual
Back to top
View user's profile Send private message
adsmith
Veteran
Veteran


Joined: 26 Sep 2004
Posts: 1386
Location: NC, USA
PostPosted: Thu Oct 13, 2005 3:12 am    Post subject: Reply with quote
Did you ever get this working? I'm trying it, too.

I've tried this:
http://www.clasohm.com/blog/one-entry?entry_id=12085,
but it doesn't seem to work so simply (though I'm munging what they say for my own goals)
Back to top
View user's profile Send private message
whyscream
n00b
n00b


Joined: 17 Feb 2004
Posts: 46
PostPosted: Thu Oct 13, 2005 5:49 am    Post subject: Reply with quote
adsmith wrote:
Did you ever get this working? I'm trying it, too.

I've tried this:
http://www.clasohm.com/blog/one-entry?entry_id=12085,
but it doesn't seem to work so simply (though I'm munging what they say for my own goals)


I used that guide to set it up and it works great.
Back to top
View user's profile Send private message
adsmith
Veteran
Veteran


Joined: 26 Sep 2004
Posts: 1386
Location: NC, USA
PostPosted: Thu Oct 13, 2005 12:05 pm    Post subject: Reply with quote
okay, thanks for the tip. Once i have some time next week, I'll give it a shot.
Back to top
View user's profile Send private message
adsmith
Veteran
Veteran


Joined: 26 Sep 2004
Posts: 1386
Location: NC, USA
PostPosted: Sun Oct 23, 2005 3:57 pm    Post subject: Reply with quote
By the way, this works perfectly after switching to pam_ssh instead of pam_ssh_agent.
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3526
PostPosted: Thu Mar 09, 2006 2:49 pm    Post subject: Reply with quote
Warning... this is a little long-winded, but I'm trying to do this in the most secure and versatile way.

I'm wanting more to look at this, after my last OpenSSH upgrade. I see that cleartext tunnelled passwords are now disabled by default. (I find it a little annoying that "PermitRootLogin yes" is still the default, but that's a different issue.) While inconventient, I admit that I really should using key-based login, hence finding this thread.

There are 2 ebuilds available, pam_ssh and pam_ssh_agent, the latter claiming to spawn ssh-agent, the former presumably using an already-running one. There's also a package called "keychain" which I'm not sure how it fits in and differentiates from just using ssh-agent. I'm printing the DeveloperWorks articles now, and will peruse them over the next day or two.

Reading the HowTo that others have suggested, I see a problem with it. They have suggested putting:
Code:
auth sufficient pam_ssh.so

in /etc/pam.d/(gdm, kdm, xdm, login, whatever) and allowing authentication with just your private key password. For one thing, I'm on AFS at work, and it has lines like:
Code:
auth       required   pam_stack.so service=system-auth
auth       sufficient   pam_afs.so   try_first_pass  ignore_root
auth       required   pam_nologin.so

This does a few things. First, the box password is also my AFS password, and I have a "unified" login. Second, it's possible to have box-only logins, and notably root won't even try AFS authentication. I would think that the better option would be:
Code:
auth       required   pam_stack.so service=system-auth
auth       optional     pam_ssh.so try_first_pass
auth       sufficient    pam_afs.so   try_first_pass  ignore_root
auth       required   pam_nologin.so

In this way, basic system authentication is preserved. If there's a password-protected private key, it gets used, but if there isn't,it's OK. Finally AFS is authenticated, and this all happens with the single login password. I see several problems with this scheme:
1: My ssh key pass*phrase* is much stronger than my login password, but it also doesn't get regular changes. Maybe regular changes would ease my fears on this.
2: There's no hook between "passwd" and the command to change my private key passphrase/word. It's a manual thing. For that matter, it's manual today with AFS. I have to use both "passwd" and "kpasswd" when it's time to change passwords.
3: My home machine spends most of the day logged in to my wife's account, and the other machine logged in to my daughter's. I do much of my work under "su - my_account". No ssh-agent, and none of this works, at least not easily. Maybe keychain will offer some help to this, from what little I've read.

I'm interested in any perspectives or feedback on this.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy