Single sign-on with kdm for Debian via pam_ssh (I)
An ssh agent allows for authentication in ssh servers without writing the passphrase explicitly. A common setup for achieving this goal in the KDE desktop is to put a shell script, let’s say add_key.sh, under ~./kde/Autostart and let the script to start the agent (if needed) and execute the ssh-add command so that our RSA/DSA identity will be added to the agent.
In this scenario,every time we start our session via kdm, we’ll have to enter our login password and then the passphrase (probably using a dialog provided by ksshaskpass or a similar program that will be called from the ssh-add program).
We can go a step further and authenticate ourselves just once using the passphrase when we start a session via kdm and then adding automatically the passphrase to the ssh agent. We’ll do it by using a PAM module called pam_ssh. There are lots of posts in Internet explaining how to do it but I haven’t found a single one working in Debian (my fault, that’s for sure 😦 so I decided to write such a useful post.
These are the steps to follow (I assume that you have OpenSSH properly installed and you have created your RSA/DSA keys):
– install the libpam-ssh package
– read the package documentation, in particular the /usr/share/doc/libpam-ssh/README.Debian file
– create the directory ~/.ssh/login-keys.d and populate it following the instructions from the README.Debian file. For short, create soft links pointing to the private key files that live in the parent directory
– configure /etc/pam.d/kdm for using the pam_ssh.so module. Again the README.Debian file is a great help.
For example, my /etc/pam.d/kdm file follows:
#
# /etc/pam.d/kdm - specify the PAM behaviour of kdm
#
auth required pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
auth required pam_ssh.so
@include common-account
session required pam_limits.so
@include common-session
session optional pam_ssh.so
@include common-password
This configuration forces me to authenticate with my passphrase (other setups may fit better your needs) when I start a kdm session. Afterwards the passphrase is automatically added to the ssh-agent so I can connect to remote ssh servers without entering the passphrase every time I login in the server.
Uve's way 
Nice receipt. Want to see more of these!
I just went through something very similar myself a few weeks ago, only with Archlinux.
Have you tried keychain? It’s been around a while, it’s very good.
Hi Scott. I’ve heard about keychain but I haven’t tried it. Can I get single sign-on (as described in the post) with it?
Wow Vicent, this is really interesting! Just a question: can you still authenticate using your ordinary password? I guess so because of the “session optional pam-ssh”.
No, you can’t. Beware of sections. The line you mention is in the session section, not in the authentication one. One way of doing what you suggest would be to change the line
auth required pam_ssh
to
auth sufficient pam_ssh
PS: I’ve failed when trying to use the user’s password to decrypt the user’s SSH key following the instructions of the README.Debian file. Help with this new problem is welcome 🙂
Umm, that may need further investigation… 🙂
I explain how to do it in the second post (now this is a miniseries 🙂