Logging into KDE with your SSH passphrase

From FedoraNEWS.ORG

Written by Anand Buddhdev on 2005-11-09

Table of contents

1.1 Requirements
1.2 Configuration
1.3 Final steps
1.4 Advanced configuration

Summary

This little trick allows you to login to KDE or Gnome using your SSH passphrase. It automatically starts an ssh-agent, and adds your key into it. You no longer have to run ssh-add at KDE or Gnome startup.

[edit]

Requirements

This article assumes that you're running a fully up-to-date Fedora Core 4 system. It also assumes that you have already generated your SSH keypair, which is stored in the usual location, ~/.ssh/id_dsa, and that you have configured KDE or Gnome to run ssh-add at startup, so you can type in your passphrase. The only extra package required for this technique is the pam_ssh package from Fedora Extras. The Extras repository is enabled by default on FC4, so you just need to type yum install pam_ssh as root to install it.

[edit]

Configuration

Ideally, we would be modifying the /etc/pam.d/system-auth file. However, this file has a warning in it, saying that we should not modify it by hand, because it is auto-generated. So we're going to make a copy of it, and use the copy.

# cd /etc/pam.d
# cp system-auth system-auth-ssh

Next, open the file system-auth-ssh with your favourite text editor, and edit it to look like the text below. The required changes are shown in bold text. This configuration ensures that if you use your password instead of the SSH passphrase, you will still be able to log in.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_ssh.so
auth        sufficient    /lib/security/$ISA/pam_unix.so try_first_pass likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     sufficient    /lib/security/$ISA/pam_ssh.so
session     required      /lib/security/$ISA/pam_unix.so

Now save this file.

Next, open the file kde with your favourite text editor. Replace all 4 instances of 'system-auth' with 'system-auth-ssh', as shown below:

#%PAM-1.0
auth       required     pam_stack.so service=system-auth-ssh
auth       required     pam_nologin.so
auth       sufficient   pam_timestamp.so
account    required     pam_stack.so service=system-auth-ssh
password   required     pam_stack.so service=system-auth-ssh
session    required     pam_stack.so service=system-auth-ssh
session    required  pam_loginuid.so
session    optional     pam_timestamp.so
session    optional     pam_selinux.so
session    optional     pam_console.so

Now save this file.

Finally, open the file gdm with your favourite text editor. Replace all 4 instances of 'system-auth' with 'system-auth-ssh', as shown below:

#%PAM-1.0
auth       required     pam_env.so
auth       required     pam_stack.so service=system-auth-ssh
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth-ssh
password   required     pam_stack.so service=system-auth-ssh
session    required     pam_stack.so service=system-auth-ssh
session    optional     pam_console.so

[edit]

Final steps

You no longer need to run ssh-add at KDE or Gnome startup, so you can disable it. Log out of your session. When KDM or GDM displays the login screen, type in your username as usual. However, instead of your usual password, type in your SSH passphrase. If all has gone well, you should be logged into your session. Now open a terminal window, and run ps ax|grep ssh-agent to verify that the agent is indeed running. Now try to make an SSH connection to a host which is configured to allow SSH key logins. You should be able to make the connection without being prompted for a passphrase.

Now log out of this session, and login again, but this time with your normal account password. You should still be able to login, but this time, your SSH key will not be loaded into the agent, and you will prompted for a passphrase each time you make an SSH connection. This configuration allows non-SSH users to also login graphically with their normal passwords.

[edit]

Advanced configuration

The pam_ssh module looks for one of the following filenames to find your key:

id_dsa
id_rsa
identity

In case your key is not in one of these default locations, you can add a parameter to the pam_ssh.so paramater in the system-auth-ssh file to specify alternate names. See the pam_ssh man page for details.

Retrieved from "http://fedoranews.org/mediawiki/index.php/Logging_into_KDE_with_your_SSH_passphrase"

Categories: Fedora Weekly News Issue 22 | Published