|
|
|
|
@ -7,28 +7,74 @@ then this script might just be for you!
|
|
|
|
|
* You login at the linux VT using a getty
|
|
|
|
|
* You have a `systemd --user` service called `ssh-agent.service` that starts
|
|
|
|
|
your ssh agent.
|
|
|
|
|
* You have to type your password a second time after logging in in order to
|
|
|
|
|
* You have to type your passphrase after logging in in order to
|
|
|
|
|
decrypt your SSH key.
|
|
|
|
|
|
|
|
|
|
This script allows you to only type your password once. When logging in, your
|
|
|
|
|
SSH key will be decrypted and added to your ssh-agent for you.
|
|
|
|
|
|
|
|
|
|
## Usage
|
|
|
|
|
## Installation
|
|
|
|
|
|
|
|
|
|
There is one pre-requisite for this script:
|
|
|
|
|
(1) Set up your ssh-agent systemd user service with the proper
|
|
|
|
|
environment using lingering to start it at boot
|
|
|
|
|
|
|
|
|
|
Your systemd --user instance needs to know about the `SSH_AUTH_SOCK`. If you're
|
|
|
|
|
using my systemd-user-sessions package mentioned above then you will want to
|
|
|
|
|
add this to your `~/.config/bash/environment` file as something like
|
|
|
|
|
`SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/ssh-agent`.
|
|
|
|
|
# setup module
|
|
|
|
|
echo '[Unit]
|
|
|
|
|
Description=SSH key agent
|
|
|
|
|
|
|
|
|
|
To enable the script you will want to add this to your pam configuration
|
|
|
|
|
(probably `/etc/pam.d/system-login` or `/etc/pam.d/login`)
|
|
|
|
|
[Service]
|
|
|
|
|
Type=simple
|
|
|
|
|
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
|
|
|
|
|
ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK
|
|
|
|
|
|
|
|
|
|
auth optional pam_exec.so expose_authtok /path/to/the/systemd-user-pam-ssh
|
|
|
|
|
[Install]
|
|
|
|
|
WantedBy=default.target' \
|
|
|
|
|
> ~/.config/systemd/user/ssh-agent.service
|
|
|
|
|
|
|
|
|
|
# setup environment
|
|
|
|
|
echo 'SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/ssh-agent.socket"' \
|
|
|
|
|
> ~/.pam_environment
|
|
|
|
|
|
|
|
|
|
# enable now and at boot
|
|
|
|
|
systemctl --user start ssh-agent
|
|
|
|
|
systemctl --user enable ssh-agent
|
|
|
|
|
|
|
|
|
|
# enable lingering
|
|
|
|
|
loginctl enable-linger $(whoami)
|
|
|
|
|
|
|
|
|
|
(2) Install the script to a well-known location (You can modify `/usr/lib`)
|
|
|
|
|
|
|
|
|
|
sudo cp systemd-user-pam-ssh /usr/lib/systemd/systemd-user-pam-ssh
|
|
|
|
|
|
|
|
|
|
(3) Configure pam
|
|
|
|
|
|
|
|
|
|
echo "auth optional pam_exec.so expose_authtok /usr/lib/systemd/systemd-user-pam-ssh" \
|
|
|
|
|
| sudo tee -a /etc/pam.d/login
|
|
|
|
|
|
|
|
|
|
(4a) Use your system password as your private key passphrase (not recommended)
|
|
|
|
|
|
|
|
|
|
ssh-keygen -p -f ~/.ssh/id_rsa
|
|
|
|
|
# type your system password
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(4b) Encrypt a passphrase with your system password and a heavy derivation function (recommended)
|
|
|
|
|
|
|
|
|
|
## Change your passphrase (optional)
|
|
|
|
|
|
|
|
|
|
ssh-keygen -p -f ~/.ssh/id_rsa
|
|
|
|
|
# type your passphrase
|
|
|
|
|
|
|
|
|
|
## Save your passphrase encrypted with your system password
|
|
|
|
|
|
|
|
|
|
read -s PASSWORD
|
|
|
|
|
# type your system password
|
|
|
|
|
|
|
|
|
|
read -S PASSPHRASE
|
|
|
|
|
# type your passphrase
|
|
|
|
|
|
|
|
|
|
echo $PASSPHRASE | openssl enc -pbkdf2 -in - -out ~/.ssh/passphrase -e -aes256 -k "$PASSWORD"
|
|
|
|
|
|
|
|
|
|
unset PASSWORD
|
|
|
|
|
unset PASSPHRASE
|
|
|
|
|
|
|
|
|
|
## Installation
|
|
|
|
|
|
|
|
|
|
I would recommend placing the script under `/usr/lib/systemd/`. If you are using
|
|
|
|
|
Arch Linux you can use the PKGBUILD [located
|
|
|
|
|
here](https://github.com/EvanPurkhiser/PKGBUILDs/tree/master/systemd-user-pam-ssh-git/PKGBUILD).
|
|
|
|
|
|
Carlo Capocasa
7 years ago