Single Sign On with PAM and SSH [sourceforge.net]
During the last three weeks, I have set up Red Hat Enterprise Linux 4 on this server, watched Revolution OS and examined the kernel timeline to find out I must have started with Linux 0.99 in 1993, passed the Red Hat Certified Engineer exam, installed Fedora Core 3 on four machines, and I attend the RH423 course about Directory Services and Authentication this week.
In this course, I came across pam_ssh. When you work on multiple machines and use SSH to connect to them, using a public/private key pair for authentication is a great convenience. You no longer need to remember passwords for the different servers, but only the one for the private SSH key. And there is ssh-agent, which caches the private key, so you do not have to enter the password for every SSH login. Still, you do have to enter the password after login to your local machine.
Now, wouldn't it be cool if you could log in to your desktop machine, and never enter another password until you log out? That's where pam_ssh comes in. It hooks into the login process, asks you for the SSH password instead of your Unix account password, authenticates you and starts ssh-agent.
Configuring it is trivial if you know PAM. The instructions below assume that you use gdm for graphical login, but the process for kdm or xdm should be almost the same.
Download and install pam_ssh, with the usual ./configure && make install
In /etc/pam.d/gdm, add this line before the line "auth required pam_stack.so service=system-auth":
auth sufficient pam_ssh.so
This will make gdm prompt for your SSH private key password, and
is correct, authenticate you. Otherwise, it will proceed with the usual
authentication, ie. ask for your Unix password.
At the end of /etc/pam.d/gdm, add this line:
session optional pam_ssh.so
This will set up ssh-agent after you have been authenticated.
auth required pam_env.so auth sufficient pam_ssh.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session optional pam_console.so session optional pam_ssh.so
Update 11 Aug 2005: This also works with Fedora Core 4 x86_64, but only after manually installing the pam_ssh module. It is compiled for 64 bit, but installed in the 32 bit lib directory. To fix this, run the following command after make install:
mv /lib/security/pam_ssh.* /lib64/security
Update 14 Apr 2006: Fedora Core 5 comes with pam_ssh as one of the Extras RPMs. You still have to edit /etc/pam.d/gdm, though:
auth required pam_env.so auth sufficient pam_ssh.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session include system-auth session required pam_loginuid.so session optional pam_console.so session optional pam_ssh.so
Update 26 Nov 2006: When using pam_mount to mount your encrypted home directory during login, put a copy of your SSH key into the unencrypted mount point (usually /home/USERNAME/.ssh). pam_ssh needs to access it before pam_mount does its work. With both pam_mount and pam_ssh, my FC6 /etc/pam.d/gdm looks like this:
auth required pam_env.so auth required pam_mount.so auth sufficient pam_ssh.so use_first_pass auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so session optional pam_console.so session optional pam_mount.so session optional pam_ssh.so
22:06, 10 Nov 2004 by Carsten Clasohm Permalink