111869 – including pam_ssh.so in the distribution

Bug 111869 - including pam_ssh.so in the distribution

Summary: including pam_ssh.so in the distribution

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	distribution
Sub Component:
Version:	1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Bill Nottingham
QA Contact:	Bill Nottingham
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2003-12-11 02:14 UTC by Sean Middleditch
Modified:	2014-03-17 02:40 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2003-12-11 19:48:50 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Sean Middleditch 2003-12-11 02:14:08 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Gecko/20031114 Epiphany/1.0.4

Description of problem:
The pam_ssh PAM module (http://www.sourceforge.net/projects/pam-ssh)
provides two useful components to a system.

(1) Authentication vs SSH-Keys.  With, for example, an NFS mounted
home dir, this allows authentication information to be "distrubted"
for users across a network with no need for painfully configuring
LDAP/Kerberos/etc. servers.  This is, admittedly, not *that* userful.

(2) The killer feature is, when you log in (new session), pam_ssh.so
can start a new ssh-agent, and provide the login password you provided
for loading and decrypting your private key.  This provides, in
essense, a primitive single sign-on behaviour for networks making
heavy use of SSH; remote apps or connections can be started without
ever needing to enter a password (so long as your login and SSH key
passwords are identical, or you are using your SSH key as your login
system).

The second feature is very, very useful to anyone who administrates or
uses a large number of machine, be they in a local or remote network,
from a command-line, or makes heavy use of X clients across SSH
tunnels.  The ability to only ever enter one password, just once, is a
huge convenience.

I have installed pam_ssh from CVS on both a Fedora Core 1 system and a
 Fedora Devel system, and it works flawlessly, once properly setup.

Version-Release number of selected component (if applicable):
pam-0.77-19.sel

How reproducible:
Always

Steps to Reproduce:
1. login
2. open ssh connection
3. notice you have to retype your password, or manually run ssh-add
(and then still retype your password)
    

Additional info:

Comment 1 Bill Nottingham 2003-12-11 19:48:50 UTC

This is probably something for Fedora Extras at this point.

The main concern is that the main feature relies on password + key
passphrease being the same; this is often not the case, and I'm pretty
sure that someplace actually recommends that they be different.

Comment 2 Sean Middleditch 2003-12-11 19:56:23 UTC

Technically, no, you *can* use two different passwords - during login,
you will just be asked for both of them.  If the SSH key password is
incorrect (or empty), ssh-agent simply will not load/decrypt the key.
 In this case, pam_ssh may not bring it down to a single password, but
it does make for an easy and automatic use of ssh-agent/ssh-add (where
as now, in order to make full use of ssh-agent/ssh-add, you must
manually run ssh-add after login).  Fedora Extras will tho work fine
for this request.

Note You need to log in before you can comment on or make changes to this bug.