Archive for October, 2010

Single sign-on with kdm for Debian via pam_ssh (II)

October 29, 2010 7 comments

In my previous post I gave a first example of single sign-on using kdm and pam_ssh on a Debian box. Now I’ll provide a more flexible way for achieving the same goal: you will be able to use your passphrase or your password in order to authenticate and pass your OpenSSH keys to an agent. In the meantime I’ll also replace the ssh-agent (that pam_ssh uses by default) with the gpg-agent because it is more flexible and provides additional functionality (it can manage both OpenSSH keys and GPG keys). I assume the gnupg-agent package is installed in your system.

In the example given in my previous post we can see the line:

session optional

This line forces to use a ssh-agent during the X session.

On the other hand we know that during the start sequence of kdm, the system Xsession files (i.e. /etc/X11/Xsession* files and files under /etc/X11/Xsession.d directory) are called. In particular the 90gpg-agent file is sourced. As a result, a gpg-agent will be launched and it will be alive until the X session ends. So eventually we’ll have both a ssh-agent and a gpg-agent running during the X session. However the gpg-agent can be used as a drop-in replacement for the ssh-agent if we pass the --enable-ssh-support to it. So we do the following:

* comment out the session optional line in the /etc/pam.d/kdm configuration file

* edit the /etc/X11/Xsession.d/90gpg-agent file and add the --enable-ssh-support option to the line where the agent is launched. We’ll have something like

STARTUP="$GPGAGENT --enable-ssh-support --daemon --sh --write-env-file=$PID_FILE $STARTUP"

And now for the authentication part. It will be short. I’ll simply give a couple of useful configurations of the /etc/pam.d/kdm file. First, if we want to authenticate only with our password and load our SSH keys into the gpg-agent we can do:

auth @include common-auth
auth sufficient

We can use the optional control instead of the sufficient one. The order of the lines is not important (it can be reversed). This same result can be reached if we pass the use_first_pass argument to the pam_ssh module:

auth @include common-auth
auth sufficient use_first_pass

And second, if we want to authenticate with our passphrase or our password and load our SSH keys into the gpg-agent we can do:

auth @include common-auth
auth sufficient try_first_pass

Again we can use the optional control too. And again the order of lines doesn’t matter.

As a final remark I’d like to say that a configuration like:

auth @include common-auth
auth required | requisite use_first_pass | try_first_pass

will always fail and will lock the access to our system via kdm.

Categories: GNU/Linux, Security Tags: , ,

Single sign-on with kdm for Debian via pam_ssh (I)

October 23, 2010 8 comments

An ssh agent allows for authentication in ssh servers without writing the passphrase explicitly. A common setup for achieving this goal in the KDE desktop is to put a shell script, let’s say, under ~./kde/Autostart and let the script to start the agent (if needed) and execute the ssh-add command so that our RSA/DSA identity will be added to the agent.

In this scenario,every time we start our session via kdm, we’ll have to enter our login password and then the passphrase (probably using a dialog provided by ksshaskpass or a similar program that will be called from the ssh-add program).

We can go a step further and authenticate ourselves just once using the passphrase when we start a session via kdm and then adding automatically the passphrase to the ssh agent. We’ll do it by using a PAM module called pam_ssh. There are lots of posts in Internet explaining how to do it but I haven’t found a single one working in Debian (my fault, that’s for sure 😦 so I decided to write such a useful post.

These are the steps to follow (I assume that you have OpenSSH properly installed and you have created your RSA/DSA keys):

– install the libpam-ssh package
– read the package documentation, in particular the /usr/share/doc/libpam-ssh/README.Debian file
– create the directory ~/.ssh/login-keys.d and populate it following the instructions from the README.Debian file. For short, create soft links pointing to the private key files that live in the parent directory
– configure /etc/pam.d/kdm for using the module. Again the README.Debian file is a great help.

For example, my /etc/pam.d/kdm file follows:

# /etc/pam.d/kdm - specify the PAM behaviour of kdm
auth       required
auth       required readenv=1
auth       required readenv=1 envfile=/etc/default/locale
auth required
@include common-account
session    required
@include common-session
session optional
@include common-password

This configuration forces me to authenticate with my passphrase (other setups may fit better your needs) when I start a kdm session. Afterwards the passphrase is automatically added to the ssh-agent so I can connect to remote ssh servers without entering the passphrase every time I login in the server.

Categories: GNU/Linux, Security Tags: ,