diff --git a/README.md b/README.md index 2f074bb..47c9e04 100644 --- a/README.md +++ b/README.md @@ -7,28 +7,74 @@ then this script might just be for you! * You login at the linux VT using a getty * You have a `systemd --user` service called `ssh-agent.service` that starts your ssh agent. - * You have to type your password a second time after logging in in order to + * You have to type your passphrase after logging in in order to decrypt your SSH key. This script allows you to only type your password once. When logging in, your SSH key will be decrypted and added to your ssh-agent for you. -## Usage +## Installation -There is one pre-requisite for this script: +(1) Set up your ssh-agent systemd user service with the proper + environment using lingering to start it at boot -Your systemd --user instance needs to know about the `SSH_AUTH_SOCK`. If you're -using my systemd-user-sessions package mentioned above then you will want to -add this to your `~/.config/bash/environment` file as something like -`SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/ssh-agent`. + # setup module + echo '[Unit] + Description=SSH key agent -To enable the script you will want to add this to your pam configuration -(probably `/etc/pam.d/system-login` or `/etc/pam.d/login`) + [Service] + Type=simple + Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket + ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK - auth optional pam_exec.so expose_authtok /path/to/the/systemd-user-pam-ssh + [Install] + WantedBy=default.target' \ + > ~/.config/systemd/user/ssh-agent.service + + # setup environment + echo 'SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/ssh-agent.socket"' \ + > ~/.pam_environment + + # enable now and at boot + systemctl --user start ssh-agent + systemctl --user enable ssh-agent + + # enable lingering + loginctl enable-linger $(whoami) + +(2) Install the script to a well-known location (You can modify `/usr/lib`) + + sudo cp systemd-user-pam-ssh /usr/lib/systemd/systemd-user-pam-ssh + +(3) Configure pam + + echo "auth optional pam_exec.so expose_authtok /usr/lib/systemd/systemd-user-pam-ssh" \ + | sudo tee -a /etc/pam.d/login + +(4a) Use your system password as your private key passphrase (not recommended) + + ssh-keygen -p -f ~/.ssh/id_rsa + # type your system password + + +(4b) Encrypt a passphrase with your system password and a heavy derivation function (recommended) + + ## Change your passphrase (optional) + + ssh-keygen -p -f ~/.ssh/id_rsa + # type your passphrase + + ## Save your passphrase encrypted with your system password + + read -s PASSWORD + # type your system password + + read -S PASSPHRASE + # type your passphrase + + echo $PASSPHRASE | openssl enc -pbkdf2 -in - -out ~/.ssh/passphrase -e -aes256 -k "$PASSWORD" + + unset PASSWORD + unset PASSPHRASE -## Installation -I would recommend placing the script under `/usr/lib/systemd/`. If you are using -Arch Linux you can use the PKGBUILD [located -here](https://github.com/EvanPurkhiser/PKGBUILDs/tree/master/systemd-user-pam-ssh-git/PKGBUILD). diff --git a/systemd-user-pam-ssh b/systemd-user-pam-ssh index 662a0e5..0178ba1 100755 --- a/systemd-user-pam-ssh +++ b/systemd-user-pam-ssh @@ -25,9 +25,6 @@ else # Get the SSH_AUTH_SOCK variable from the user session export $(systemctl --user show-environment | grep ^SSH_AUTH_SOCK=) - # Ensure the ssh-agent service is started - systemctl --user start ssh-agent - # Use self as askpass to work around ssh-add not reading stdin # on some systems export SSH_ASKPASS="$0"