Bug 111869

Summary: including pam_ssh.so in the distribution
Product: [Fedora] Fedora Reporter: Sean Middleditch <sean>
Component: distributionAssignee: Bill Nottingham <notting>
Status: CLOSED WONTFIX QA Contact: Bill Nottingham <notting>
Severity: medium Docs Contact:
Priority: medium    
Version: 1CC: mitr, nalin, rvokal
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-12-11 19:48:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sean Middleditch 2003-12-11 02:14:08 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Gecko/20031114 Epiphany/1.0.4

Description of problem:
The pam_ssh PAM module (http://www.sourceforge.net/projects/pam-ssh)
provides two useful components to a system.

(1) Authentication vs SSH-Keys.  With, for example, an NFS mounted
home dir, this allows authentication information to be "distrubted"
for users across a network with no need for painfully configuring
LDAP/Kerberos/etc. servers.  This is, admittedly, not *that* userful.

(2) The killer feature is, when you log in (new session), pam_ssh.so
can start a new ssh-agent, and provide the login password you provided
for loading and decrypting your private key.  This provides, in
essense, a primitive single sign-on behaviour for networks making
heavy use of SSH; remote apps or connections can be started without
ever needing to enter a password (so long as your login and SSH key
passwords are identical, or you are using your SSH key as your login
system).

The second feature is very, very useful to anyone who administrates or
uses a large number of machine, be they in a local or remote network,
from a command-line, or makes heavy use of X clients across SSH
tunnels.  The ability to only ever enter one password, just once, is a
huge convenience.

I have installed pam_ssh from CVS on both a Fedora Core 1 system and a
 Fedora Devel system, and it works flawlessly, once properly setup.

Version-Release number of selected component (if applicable):
pam-0.77-19.sel

How reproducible:
Always

Steps to Reproduce:
1. login
2. open ssh connection
3. notice you have to retype your password, or manually run ssh-add
(and then still retype your password)
    

Additional info:
Comment 1 Bill Nottingham 2003-12-11 19:48:50 UTC 
This is probably something for Fedora Extras at this point.

The main concern is that the main feature relies on password + key
passphrease being the same; this is often not the case, and I'm pretty
sure that someplace actually recommends that they be different.
Comment 2 Sean Middleditch 2003-12-11 19:56:23 UTC 
Technically, no, you *can* use two different passwords - during login,
you will just be asked for both of them.  If the SSH key password is
incorrect (or empty), ssh-agent simply will not load/decrypt the key.
 In this case, pam_ssh may not bring it down to a single password, but
it does make for an easy and automatic use of ssh-agent/ssh-add (where
as now, in order to make full use of ssh-agent/ssh-add, you must
manually run ssh-add after login).  Fedora Extras will tho work fine
for this request.