You are not logged in.

Pages: 1

#1 2014-01-24 20:39:23

Rexilion
Member
Registered: 2013-12-23
Posts: 784

PAM_SSH without PAM_SSH

Just hacked up something small to replace the lack of pam_ssh in the main ArchLinux archives. This is basically a script that uses pam_exec to perform the same functionality as pam_ssh.

  • Create a file called /etc/pam_exec-pam_ssh.sh and chmod it 755

    #!/bin/bash

# we need the below as SSH_ASKPASS substitute
# using /usr/bin/cat directly does not work since
# ssh-add passes it arguments ...
# e.g. SSH_ASKPASS=/usr/bin/cat
if [[ "$1" != 'session' ]]
	then cat
	exit 0
fi

# locate ~/.ssh
SSH_AUTH_DIR="$(su -c 'echo ~' "$PAM_USER")"/.ssh/

# test the existence for the directory where we are going to place our sock file
# test for a password in stdin (otherwise cat might hang indefinitly causing login to hang as well)

# test for pam_service login
# or
# test for pam_service lightdm
if [[ -d "$SSH_AUTH_DIR" ]] && ! test -t 0 \
	&& ( [[ "$PAM_SERVICE" == "lightdm" ]] || [[ "$PAM_SERVICE" == "login" ]] )
		then export SSH_AUTH_SOCK="$SSH_AUTH_DIR"/ssh_agent.sock
		export SSH_ASKPASS=/etc/custom_scripts/pam_exec-pam_ssh.sh

		# are we already running? if not, delete the stale socket if it exists
		# a stale socket prevents ssh-agent from running
		if ! lsof -t "$SSH_AUTH_SOCK" >/dev/null
			then rm -f "$SSH_AUTH_SOCK"
			else exit 0
		fi

		# start ssh-agent as the designated user
		su -c 'ssh-agent -a "$SSH_AUTH_SOCK"' "$PAM_USER"

		# start ssh-add , notice the DISPLAY to trick it into using SSH_ASKPASS
		cat /dev/stdin | su -c 'env DISPLAY=1 ssh-add' "$PAM_USER"
fi

  • In /etc/pam.d/system-login , add the following line:

    auth	optional	pam_exec.so quiet expose_authtok /etc/pam_exec-pam_ssh.sh session

  • EDIT: SSH_AUTH_SOCK must point to "$SSH_AUTH_DIR"/ssh_agent.sock in the user session. You have to do this again (it's not inherited from pam_exec) for each user and each session..

    I use ~/.pam_environment like this:

    SSH_AUTH_SOCK=/home/secure/ronald/.ssh/ssh_agent.sock

Last edited by Rexilion (2014-02-17 08:25:32)

fs/super.c : "Self-destruct in 5 seconds.  Have a nice day...\n",

Offline

#2 2014-02-17 08:24:20

Rexilion
Member
Registered: 2013-12-23
Posts: 784

Re: PAM_SSH without PAM_SSH

I modified to make it work if ssh-agent shuts down in an unclean way. If the stale sockfile is left behind, it will not ever bind to it again. Even an sock file that is not attached is handled as an 'address in use'. Funny.

fs/super.c : "Self-destruct in 5 seconds.  Have a nice day...\n",

Offline

Pages: 1

Board footer

Powered by FluxBB