Logging into KDE/Gnome with your SSH passphrase - updated for FC5
From FedoraNEWS.ORG
Written by Anand Buddhdev on 2006-08-09
| Table of contents |
Summary
This little trick allows you to login to KDE or Gnome using your SSH passphrase. It automatically starts an ssh-agent, and adds your key into it. You no longer have to run ssh-add at KDE or Gnome startup.
Requirements
This article assumes that you're running a fully up-to-date Fedora Core 5 system. It also assumes that you have already generated your SSH keypair, which is stored in the usual location, ~/.ssh/id_dsa, and that you have configured KDE or Gnome to run ssh-add at startup, so you can type in your passphrase. The only extra package required for this technique is the pam_ssh package from Fedora Extras. The Extras repository is enabled by default on FC5, so you just need to type yum install pam_ssh as root to install it.
Configuration
As root, edit the file /etc/pam.d/system-auth file. You need to edit a line, and add two other lines to the file, as shown in bold below:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so auth sufficient pam_ssh.so nullok try_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session required pam_unix.so session optional pam_ssh.so
Now save this file.
Final steps
You no longer need to run ssh-add at KDE or Gnome startup, so you can disable it. Log out of your session. When KDM or GDM displays the login screen, type in your username as usual. However, instead of your usual password, type in your SSH passphrase. If all has gone well, you should be logged into your session. Now open a terminal window, and run ps ax|grep ssh-agent to verify that the agent is indeed running. Now try to make an SSH connection to a host which is configured to allow SSH key logins. You should be able to make the connection without being prompted for a passphrase.
Now log out of this session, and login again, but this time with your normal account password. You should still be able to login, but this time, your SSH key will not be loaded into the agent, and you will prompted for a passphrase each time you make an SSH connection. This configuration allows non-SSH users to also login graphically with their normal passwords.
Advanced configuration
The pam_ssh module looks for one of the following filenames to find your key:
- id_dsa
- id_rsa
- identity
In case your key is not in one of these default locations, you can add a parameter to the pam_ssh.so paramater in the system-auth-ssh file to specify alternate names. See the pam_ssh man page for details.
