Greetings. Last year I completed a PAM module that provides
single sign-on behavior for UNIX using SSH. Users are
authenticated by decrypting their SSH private keys with the
password provided (probably to XDM). In the PAM session phase,
an ssh-agent process is started and any successfully decrypted
private keys are added. Hence, users only type their logins and
passwords once at the beginning of a session. As a side benefit,
system administrators can elect to rid the password database of
authentication data.
At the time I wrote pam_ssh, Theo de Raadt said he wanted to keep
the OpenSSH code base tightly-controlled, so my patches were not
imported. FreeBSD was interested, however, and pam_ssh has been
part of the core ever since.
Now that the code has been performing well for a year in FreeBSD,
would you consider importing it into OpenSSH (where it truly
belongs, IMO)?
Btw, I recently added support for DSA keys, though the changes
have not yet been committed into FreeBSD. I noticed that, even
though ssh-agent is able to cache DSA keys, ssh still doesn't
seem to be able to grab them from the agent. I tried this with
pam_ssh as well as starting ssh-agent and running ssh-add
manually. Am I confused, or is full DSA support still in the
works?
--
Andrew J. Korty, Principal Security Engineer
Office of the Vice President for Information Technology
Indiana University
