Hence no real SSO is possible, but that was the reason I wanted libpam-ssh in the first place.
Logging-in with the ssh passphrase in wdm works just fine, but it does not unlock the keys in ~/.ssh/
Code:
tister@sarevok:~#ssh-add -l
The agent has no identities.
tister@sarevok:~#cat .ssh/agent-sarevok-\:0
SSH_AUTH_SOCK=/tmp/ssh-NBFZzP5130/agent.5130; export SSH_AUTH_SOCK;
SSH_AGENT_PID=5131; export SSH_AGENT_PID;
echo Agent pid 5131;
tister@sarevok:~#ps aux | grep agent
tister 5131 0.0 0.0 4776 956 ? Ss 17:29 0:00 ssh-agent -s
tister 5155 0.0 0.0 4776 640 ? Ss 17:29 0:00 /usr/bin/ssh-agent /usr/bin/ck-launch-session /usr/bin/dbus-launch --exit-with-session startfluxbox
tister 5647 0.0 0.0 5064 764 pts/1 S+ 17:34 0:00 grep agent
tister@sarevok:~#echo $SSH_AGENT_PID
5155
If I'm reading this right, there is a second ssh-agent running, which started with fluxbox. I'm not quite sure if that's how it's supposed to be.
Code:
tister@sarevok:~#ssh-add
Enter passphrase for /home/tister/.ssh/id_rsa:
Identity added: /home/tister/.ssh/id_rsa (/home/tister/.ssh/id_rsa)
Identity added: /home/tister/.ssh/id_dsa (/home/tister/.ssh/id_dsa)
tister@sarevok:~#ssh-add -l
2048 c9:6b:e1:74:1a:e7:d8:97:66:4b:52:44:5d:65:65:41 /home/tister/.ssh/id_rsa (RSA)
1024 ab:9c:4e:77:59:78:84:90:39:0b:d4:39:b4:0e:b7:96 /home/tister/.ssh/id_dsa (DSA)
tister@sarevok:~#
As you can see, I can manually load/unlock the keys. But that is not what I intended.
Both my /etc/pam.d/login and /etc/pam.d/wdm are configured like this:
Code:
auth sufficient pam_unix.so nullok_secure
auth required pam_ssh.so use_first_pass
...
@include common-session
session optional pam_ssh.so
...
When I log in on a terminal the keys get unlocked correctly:
Code:
tister@sarevok:~#cat .ssh/agent-sarevok-_dev_tty3
SSH_AUTH_SOCK=/tmp/ssh-NBFZzP5130/agent.5130; export SSH_AUTH_SOCK;
SSH_AGENT_PID=5131; export SSH_AGENT_PID;
echo Agent pid 5131;
tister@sarevok:~#ps aux | grep agent
tister 5131 0.0 0.0 4776 956 ? Ss 17:29 0:00 ssh-agent -s
tister 5155 0.0 0.0 4776 964 ? Ss 17:29 0:00 /usr/bin/ssh-agent /usr/bin/ck-launch-session /usr/bin/dbus-launch --exit-with-session startfluxbox
tister 6282 0.0 0.0 5064 768 pts/3 S+ 17:46 0:00 grep agent
tister@sarevok:~#ssh-add -l
2048 c9:6b:e1:74:1a:e7:d8:97:66:4b:52:44:5d:65:65:41 /home/tister/.ssh/login-keys.d/login-key-rsa (RSA)
which is obviously because logging in from a terminal uses the right ssh-agent. (Note that it's following/using the symlink in login-keys.d this time)
For me, the issue seems to be, that logging in from wdm/xdm (I tested both) starts a second ssh-agent which does not load/unlock the keys. Contrary to loggin in on the terminal, which is working like it's supposed to be.
Now I got two questions:
- How do I tell the second ssh-agent to load/unlock my keys (automatically not manually like I did before)? respectivly
- How to I get rid of the second ssh-agent and use the first one when logging in with wdm?
Any help or hints are very appreciated! This problem is bugging me for days now!
MTIA