freebsd stable - Nov 2006 - pam.d/sshd

Hi!

I would like to activate ssh-agent automatically if I login 
via ssh.

My /etc/pam.d/sshd looks like:

# auth
auth  required    pam_nologin.so     no_warn
auth  sufficient  pam_opie.so        no_warn no_fake_prompts
auth  requisite   pam_opieaccess.so  no_warn allow_local
auth  required    pam_unix.so        no_warn try_first_pass
auth  optional    pam_ssh.so         no_warn try_first_pass

# account
account  required  pam_login_access.so
account  required  pam_unix.so

# session
session  optional  pam_ssh.so
session  required  pam_permit.so

# password
password  required  pam_unix.so  no_warn try_first_pass

At ssh login I have to type in login password and password 
for my ssh-key as expected but no ssh-agent is started. Any 
ideas?

best regards
-Stefan
-- 
Chemnitz University of Technology / Welding Engineering
Stefan Thurner
Phone / Fax: +49 371 531-32403 / -23729
Email: stefan.thurner@mb.tu-chemnitz.de

Stefan Thurner wrote:
 > I would like to activate ssh-agent automatically if I login 
 > via ssh.

As far as I know there is no mechanism to start ssh-agent
automatically.  (Someone please correct me if I'm wrong.)

Personally I have the following snippet in my ~/.zshrc
which starts ssh-agents if it isn't already running.
It also works if the home directory is shared across
multiple machines.

if [[ $EUID -ne 0 ]]; then
        AGENTFILE="${HOME}/.ssh-agent.${HOST%%.*}"
        if [[ -r "$AGENTFILE" ]]; then
                source "$AGENTFILE"
        else
                export SSH_AGENT_PID=$$
        fi
        if [[ -z "$SSH_AGENT_PID" ]] \
           || ! ps -p "$SSH_AGENT_PID" | grep -q ssh-agent; then
                ssh-agent >! "$AGENTFILE"
                source "$AGENTFILE"
        fi
        unset AGENTFILE
fi

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"Life is short (You need Python)"
        -- Bruce Eckel, ANSI C++ Comitee member, author
           of "Thinking in C++" and "Thinking in Java"

On 11/23/06, Stefan Thurner <stefan.thurner@mb.tu-chemnitz.de> wrote:
> I would like to activate ssh-agent automatically

You might want to check out keychain[1][2] as well, it's a pretty simple
interface to ssh-agent along the same lines as Oliver's script.

[1] /usr/ports/security/keychain
[2] http://dev.gentoo.org/~agriffis/keychain/

--
Gordon Stratton

On Thursday, 23 November 2006 at  9:53:26 +0100, Stefan Thurner
wrote:
> Hi!
> 
> I would like to activate ssh-agent automatically if I login 
> via ssh.
> 
> My /etc/pam.d/sshd looks like:
> 
> # auth
> auth  required    pam_nologin.so     no_warn
> auth  sufficient  pam_opie.so        no_warn no_fake_prompts
> auth  requisite   pam_opieaccess.so  no_warn allow_local
> auth  required    pam_unix.so        no_warn try_first_pass
> auth  optional    pam_ssh.so         no_warn try_first_pass
> 
> # account
> account  required  pam_login_access.so
> account  required  pam_unix.so
> 
> # session
> session  optional  pam_ssh.so
> session  required  pam_permit.so
> 
> # password
> password  required  pam_unix.so  no_warn try_first_pass
> 
> At ssh login I have to type in login password and password 
> for my ssh-key as expected but no ssh-agent is started. Any 
> ideas?
Hi Stefan.
/etc/pam.d/sshd pam file is for sshd server not for ssh client.
If you want to use ssh-agent whole the time your box is online you
should start it right after login. In order to doing this add 
"session         optional        pam_ssh.so              want_agent"
line into session facility of /etc/pam.d/system file (it's included
into /etc/pam.d/login so don't worry). If you prefer X terminals add 
this string to /etc/pam.d/kdm or gdm or xdm file.

Don't forget to load you privat key with ssh-add command first time you
use ssh.
> 
> best regards
> -Stefan
> -- 
> Chemnitz University of Technology / Welding Engineering
> Stefan Thurner
> Phone / Fax: +49 371 531-32403 / -23729
> Email: stefan.thurner@mb.tu-chemnitz.de
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
"freebsd-stable-unsubscribe@freebsd.org"
-- 
======================================================================  
- Best regards, Nikolay Pavlov. <<<-----------------------------------
======================================================================

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Hi Stefan.
> /etc/pam.d/sshd pam file is for sshd server not for ssh client.
> If you want to use ssh-agent whole the time your box is online you
> should start it right after login. In order to doing this add 
> "session         optional        pam_ssh.so             
want_agent"
> line into session facility of /etc/pam.d/system file (it's included
> into /etc/pam.d/login so don't worry).
Hi Nikolay!

Thats right and I have such a line in may pam.d/system file. But what I
want is that ssh-agent is started on the remote host if I login on the
remote host. Therefore I added the described lines in the pam.d/sshd
file on the remote host.

The password for ssh-key is requested if I login on the remote host (as
it should) but no ssh-agent is started. I'm quite sure that it is a bug
in pam_ssh.so. When bug reporting on the freebsd site is working again I
will send in a problem report.

best regards
- -Stefan
- --
GPG-encrypted mail welcome! --> ID:E970FCBE
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFcIplxNmQVulw/L4RApPYAJ9C2frkDjE3AlKdQh/unv38E1YbjwCgtPaZ
6lio3DnQJBfjh+azcAyD9fA=Rebv
-----END PGP SIGNATURE-----