During the last three weeks, I have set up Red Hat Enterprise Linux 4 on this server, watched Revolution OS and examined the kernel timeline to find out I must have started with Linux 0.99 in 1993, passed the Red Hat Certified Engineer exam, installed Fedora Core 3 on four machines, and I attend the RH423 course about Directory Services and Authentication this week.

In this course, I came across pam_ssh. When you work on multiple machines and use SSH to connect to them, using a public/private key pair for authentication is a great convenience. You no longer need to remember passwords for the different servers, but only the one for the private SSH key. And there is ssh-agent, which caches the private key, so you do not have to enter the password for every SSH login. Still, you do have to enter the password after login to your local machine.

Now, wouldn't it be cool if you could log in to your desktop machine, and never enter another password until you log out? That's where pam_ssh comes in. It hooks into the login process, asks you for the SSH password instead of your Unix account password, authenticates you and starts ssh-agent.

Configuring it is trivial if you know PAM. The instructions below assume that you use gdm for graphical login, but the process for kdm or xdm should be almost the same.

1. Save a copy of /etc/pam.d/gdm and make sure that you can log in on a text console before proceeding. Otherwise, you could easily lock yourself out.

2. Download and install pam_ssh, with the usual ./configure && make install

3. In /etc/pam.d/gdm, add this line before the line "auth required pam_stack.so service=system-auth":

   auth sufficient pam_ssh.so

   This will make gdm prompt for your SSH private key password, and if it is correct, authenticate you. Otherwise, it will proceed with the usual authentication, ie. ask for your Unix password.
   

4. At the end of /etc/pam.d/gdm, add this line:

   session optional pam_ssh.so

   This will set up ssh-agent after you have been authenticated.

5. On Fedora Core 3, the resulting /etc/pam.d/gdm should look like this:

   auth       required	pam_env.so
   auth	   sufficient   pam_ssh.so
   auth       required	pam_stack.so service=system-auth
   auth       required	pam_nologin.so
   account    required	pam_stack.so service=system-auth
   password   required	pam_stack.so service=system-auth
   session    required	pam_stack.so service=system-auth
   session    optional     pam_console.so
   session	   optional	pam_ssh.so
   

Update 11 Aug 2005: This also works with Fedora Core 4 x86_64, but only after manually installing the pam_ssh module. It is compiled for 64 bit, but installed in the 32 bit lib directory. To fix this, run the following command after make install:

mv /lib/security/pam_ssh.* /lib64/security

Update 14 Apr 2006: Fedora Core 5 comes with pam_ssh as one of the Extras RPMs. You still have to edit /etc/pam.d/gdm, though:

auth       required     pam_env.so
auth       sufficient   pam_ssh.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
session    optional     pam_ssh.so

Update 26 Nov 2006: When using pam_mount to mount your encrypted home directory during login, put a copy of your SSH key into the unencrypted mount point (usually /home/USERNAME/.ssh). pam_ssh needs to access it before pam_mount does its work. With both pam_mount and pam_ssh, my FC6 /etc/pam.d/gdm looks like this:

auth       required    pam_env.so
auth       required    pam_mount.so
auth       sufficient  pam_ssh.so use_first_pass
auth       include     system-auth
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    optional    pam_keyinit.so force revoke
session    include     system-auth
session    required    pam_loginuid.so
session    optional    pam_console.so
session    optional    pam_mount.so
session    optional    pam_ssh.so