[prev in list] [next in list] [prev in thread] [next in thread]
List: opensolaris-security-discuss
Subject: [Security-discuss] Re: OpenSolaris PAM page
From: William.Fiveash () sun ! com (Will Fiveash)
Date: 2006-04-28 16:58:51
Message-ID: 20060428235847.GA18682 () sun ! com
[Download RAW message or body]
On Thu, Apr 27, 2006 at 02:08:44PM -0500, Nicolas Williams wrote:
> On Thu, Apr 27, 2006 at 11:36:40AM -0700, Alan Coopersmith wrote:
> > Darren J Moffat wrote:
> > >I've just setup the start of a PAM page on OpenSolaris.org as part of
> > >the OpenSolaris security community.
> > >
> > >http://opensolaris.org/os/community/security/projects/pam/
> > >
> > >I started with some of the PAM modules that I've had sitting in my home
> > >directory. I was interesting, for me, to see that I wrote some of these
> > >about 9 years ago. I've released these under the CDDL.
> >
> > I like the idea of pam_xauth_cred - I was actually wondering earlier this
> > week if there should be a pam_ssh-agent_cred to establish ssh-agent in the
> > login process instead of having to add it to the desktop session startup
> > files. Would that make any sense?
>
> Provided the details of how the agents are started/found make sense.
>
> Do you want to share a session's agent with other sessions for the same
> user?
As an aside here is what I use in my ksh ~/.profile:
if ! pgrep -u $LOGNAME '^ssh-agent$' >/dev/null
then
if [[ -o interactive ]]
then
if [[ -f ~/priv/ssh-agent/ssh-agent.$FULLHOST.$LOGNAME ]]
then
rm -f ~/priv/ssh-agent/ssh-agent.$FULLHOST.$LOGNAME
fi
orig_umask=$(umask)
umask u=rwx,go= # don't allow others any perms
# start ssh-agent, store env. var.s output by ssh-agent
/usr/bin/ssh-agent > ~/priv/ssh-agent/ssh-agent.$FULLHOST.$LOGNAME
umask $orig_umask
fi
fi
# set env. to talk to ssh-agent
if [[ -r ~/priv/ssh-agent/ssh-agent.$FULLHOST.$LOGNAME ]]
then
# set env. var.s output by ssh-agent carefully
if egrep '^(SSH_AUTH_SOCK=/[^`$]+|SSH_AGENT_PID=[0-9]+);' \
~/priv/ssh-agent/ssh-agent.$FULLHOST.$LOGNAME | \
sed -e 's/;.*//' > ~/priv/ssh-agent/ssh-agent.$FULLHOST.$LOGNAME.filter
then
# source env. settings
. ~/priv/ssh-agent/ssh-agent.$FULLHOST.$LOGNAME.filter
else
print "Warning: could not setup ssh-agent environment!"
fi
else
print "Warning, can't read ~/priv/ssh-agent/ssh-agent.$FULLHOST.$LOGNAME"
print "SSH env. not setup!"
fi
if [[ -o interactive ]] && \
/usr/bin/ssh-add -l | grep 'The agent has no identities'
then
# add ssh ID if none found
/usr/bin/ssh-add
fi
===============================================
First session starts ssh-agent, other login sessions source the settings
from a file.
--
Will Fiveash
Sun Microsystems
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic