Package: libpam-ssh Version: 1.91.0-9.1 Severity: wishlist libpam-ssh should work out-of-the box, without requiring manual PAM configuration. By default, immediately after installing libpam-ssh, if a user logs in and their password also unlocks their SSH key(s), libpam-ssh should start an ssh-agent with the unlocked key(s).
I currently use the following configuration, which accomplishes this: [EMAIL PROTECTED]:~$ cat /etc/pam.d/pam-ssh-auth auth optional pam_ssh.so use_first_pass keyfiles=id_dsa,id_rsa,identity,id_dsa1,id_dsa2,id_dsa3 [EMAIL PROTECTED]:~$ cat /etc/pam.d/pam-ssh-session session optional pam_ssh.so [EMAIL PROTECTED]:~$ grep -C2 pam-ssh /etc/pam.d/* /etc/pam.d/gdm-auth required pam_env.so envfile=/etc/default/locale /etc/pam.d/[EMAIL PROTECTED] common-auth /etc/pam.d/gdm:@include pam-ssh-auth /etc/pam.d/[EMAIL PROTECTED] common-account /etc/pam.d/gdm-session required pam_limits.so /etc/pam.d/[EMAIL PROTECTED] common-session /etc/pam.d/gdm:@include pam-ssh-session /etc/pam.d/[EMAIL PROTECTED] common-password -- /etc/pam.d/[EMAIL PROTECTED] common-auth /etc/pam.d/login- /etc/pam.d/login:# Allow pam-ssh to use the password as SSH passphrase /etc/pam.d/login:@include pam-ssh-auth /etc/pam.d/login- /etc/pam.d/login-# This allows certain extra groups to be granted to a user -- /etc/pam.d/login-session required pam_limits.so /etc/pam.d/login- /etc/pam.d/login:# Let pam-ssh start an agent /etc/pam.d/login:@include pam-ssh-session /etc/pam.d/login- /etc/pam.d/login-# Prints the last login info upon succesful login I realize that the program-centric PAM configuration mechanism makes this rather difficult, due to the inability to edit other programs' PAM configurations. If PAM had a more generalized version of the pam.d mechanism, the various interactive login programs like gdm and login could do something like "@include.d interactive-auth.d" and "@include.d interactive-session.d", and pam-ssh could drop a file in that directory. Alternatively, if PAM will silently ignore an @include of a non-existent file, these interactive login programs could always @include the pam-ssh files in appropriate places by default, though that would special-case libpam-ssh rather than solving the general problem. - Josh Triplett
signature.asc
Description: OpenPGP digital signature
