From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031114 Epiphany/1.0.4 Description of problem: The pam_ssh PAM module (http://www.sourceforge.net/projects/pam-ssh) provides two useful components to a system. (1) Authentication vs SSH-Keys. With, for example, an NFS mounted home dir, this allows authentication information to be "distrubted" for users across a network with no need for painfully configuring LDAP/Kerberos/etc. servers. This is, admittedly, not *that* userful. (2) The killer feature is, when you log in (new session), pam_ssh.so can start a new ssh-agent, and provide the login password you provided for loading and decrypting your private key. This provides, in essense, a primitive single sign-on behaviour for networks making heavy use of SSH; remote apps or connections can be started without ever needing to enter a password (so long as your login and SSH key passwords are identical, or you are using your SSH key as your login system). The second feature is very, very useful to anyone who administrates or uses a large number of machine, be they in a local or remote network, from a command-line, or makes heavy use of X clients across SSH tunnels. The ability to only ever enter one password, just once, is a huge convenience. I have installed pam_ssh from CVS on both a Fedora Core 1 system and a Fedora Devel system, and it works flawlessly, once properly setup. Version-Release number of selected component (if applicable): pam-0.77-19.sel How reproducible: Always Steps to Reproduce: 1. login 2. open ssh connection 3. notice you have to retype your password, or manually run ssh-add (and then still retype your password) Additional info:
This is probably something for Fedora Extras at this point. The main concern is that the main feature relies on password + key passphrease being the same; this is often not the case, and I'm pretty sure that someplace actually recommends that they be different.
Technically, no, you *can* use two different passwords - during login, you will just be asked for both of them. If the SSH key password is incorrect (or empty), ssh-agent simply will not load/decrypt the key. In this case, pam_ssh may not bring it down to a single password, but it does make for an easy and automatic use of ssh-agent/ssh-add (where as now, in order to make full use of ssh-agent/ssh-add, you must manually run ssh-add after login). Fedora Extras will tho work fine for this request.