Red Hat Bugzilla – Bug 111869
including pam_ssh.so in the distribution
Last modified: 2014-03-16 22:40:50 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Description of problem:
The pam_ssh PAM module (http://www.sourceforge.net/projects/pam-ssh)
provides two useful components to a system.
(1) Authentication vs SSH-Keys. With, for example, an NFS mounted
home dir, this allows authentication information to be "distrubted"
for users across a network with no need for painfully configuring
LDAP/Kerberos/etc. servers. This is, admittedly, not *that* userful.
(2) The killer feature is, when you log in (new session), pam_ssh.so
can start a new ssh-agent, and provide the login password you provided
for loading and decrypting your private key. This provides, in
essense, a primitive single sign-on behaviour for networks making
heavy use of SSH; remote apps or connections can be started without
ever needing to enter a password (so long as your login and SSH key
passwords are identical, or you are using your SSH key as your login
The second feature is very, very useful to anyone who administrates or
uses a large number of machine, be they in a local or remote network,
from a command-line, or makes heavy use of X clients across SSH
tunnels. The ability to only ever enter one password, just once, is a
I have installed pam_ssh from CVS on both a Fedora Core 1 system and a
Fedora Devel system, and it works flawlessly, once properly setup.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
2. open ssh connection
3. notice you have to retype your password, or manually run ssh-add
(and then still retype your password)
This is probably something for Fedora Extras at this point.
The main concern is that the main feature relies on password + key
passphrease being the same; this is often not the case, and I'm pretty
sure that someplace actually recommends that they be different.
Technically, no, you *can* use two different passwords - during login,
you will just be asked for both of them. If the SSH key password is
incorrect (or empty), ssh-agent simply will not load/decrypt the key.
In this case, pam_ssh may not bring it down to a single password, but
it does make for an easy and automatic use of ssh-agent/ssh-add (where
as now, in order to make full use of ssh-agent/ssh-add, you must
manually run ssh-add after login). Fedora Extras will tho work fine
for this request.