'[Security-discuss] Re: OpenSolaris PAM page'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensolaris-security-discuss
Subject:    [Security-discuss] Re: OpenSolaris PAM page
From:       William.Fiveash () sun ! com (Will Fiveash)
Date:       2006-04-28 16:58:51
Message-ID: 20060428235847.GA18682 () sun ! com
[Download RAW message or body]

On Thu, Apr 27, 2006 at 02:08:44PM -0500, Nicolas Williams wrote:
> On Thu, Apr 27, 2006 at 11:36:40AM -0700, Alan Coopersmith wrote:
> > Darren J Moffat wrote:
> > >I've just setup the start of a PAM page on OpenSolaris.org as part of 
> > >the OpenSolaris security community.
> > >
> > >http://opensolaris.org/os/community/security/projects/pam/
> > >
> > >I started with some of the PAM modules that I've had sitting in my home 
> > >directory.  I was interesting, for me, to see that I wrote some of these 
> > >about 9 years ago.  I've released these under the CDDL.
> > 
> > I like the idea of pam_xauth_cred - I was actually wondering earlier this
> > week if there should be a pam_ssh-agent_cred to establish ssh-agent in the
> > login process instead of having to add it to the desktop session startup
> > files.   Would that make any sense?
> 
> Provided the details of how the agents are started/found make sense.
> 
> Do you want to share a session's agent with other sessions for the same
> user?

As an aside here is what I use in my ksh ~/.profile:

if ! pgrep -u $LOGNAME '^ssh-agent$' >/dev/null
then
    if [[ -o interactive ]]
    then
        if [[ -f ~/priv/ssh-agent/ssh-agent.$FULLHOST.$LOGNAME ]]
        then
            rm -f ~/priv/ssh-agent/ssh-agent.$FULLHOST.$LOGNAME
        fi
        orig_umask=$(umask)
        umask u=rwx,go= # don't allow others any perms
        # start ssh-agent, store env. var.s output by ssh-agent
        /usr/bin/ssh-agent > ~/priv/ssh-agent/ssh-agent.$FULLHOST.$LOGNAME
        umask $orig_umask
    fi
fi

# set env. to talk to ssh-agent
if [[ -r ~/priv/ssh-agent/ssh-agent.$FULLHOST.$LOGNAME ]]
then
    # set env. var.s output by ssh-agent carefully
    if egrep '^(SSH_AUTH_SOCK=/[^`$]+|SSH_AGENT_PID=[0-9]+);' \
        ~/priv/ssh-agent/ssh-agent.$FULLHOST.$LOGNAME | \
        sed -e 's/;.*//' > ~/priv/ssh-agent/ssh-agent.$FULLHOST.$LOGNAME.filter
    then
        # source env. settings
        . ~/priv/ssh-agent/ssh-agent.$FULLHOST.$LOGNAME.filter
    else
        print "Warning: could not setup ssh-agent environment!"
    fi
else
    print "Warning, can't read ~/priv/ssh-agent/ssh-agent.$FULLHOST.$LOGNAME"
    print "SSH env. not setup!"
fi

if [[ -o interactive ]] && \
    /usr/bin/ssh-add -l | grep 'The agent has no identities'
then
    # add ssh ID if none found
    /usr/bin/ssh-add
fi

===============================================
First session starts ssh-agent, other login sessions source the settings
from a file.

-- 
Will Fiveash
Sun Microsystems

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic