From owner-freebsd-questions@FreeBSD.ORG Fri Jun 4 06:56:37 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 498C41065670 for ; Fri, 4 Jun 2010 06:56:37 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id A09D48FC25 for ; Fri, 4 Jun 2010 06:56:36 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o546uVQ2045823 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 4 Jun 2010 07:56:32 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4C08A39F.5@infracaninophile.co.uk> Date: Fri, 04 Jun 2010 07:56:31 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: In-Reply-To: X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.96.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=1.6 required=5.0 tests=BAYES_50,DKIM_ADSP_ALL, SPF_FAIL autolearn=no version=3.3.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lucid-nonsense.infracaninophile.co.uk Cc: Steve Franks Subject: Re: x11/xfce ssh-agent once per logon for minimal (no gnome/kde) installation X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jun 2010 06:56:37 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/06/2010 24:39:46, Steve Franks wrote: > I'm totally lost. What I desire is to put in my passphrase for my > public key(s) when I logon to my box. Since I usually install from > ports and use xfce, I have no infrastructure for this, and I'm getting > nowhere fast. My Fedora box popped up a nice little "enter > passphrase" box the very first time I ssh'd to my server, and now it > 'just works'. My FreeBSD boxes (which are many - everything *but* the > laptop with Fedora), 'just don't work'. I've installed everything > with 'ssh' and either 'key' or 'agent' in the name from > ports/security, and gone through the manpages, and tweaked countless > environment variables, but every time I ssh on a FreeBSD box, it > stubbornly locates the terminal I started any gui's from (i.e. meld + > bzr), and asks for the passphrase a great many times daily. Add that > I've started my gui with meld& (so as to continue using said terminal > - don't love 'panels', 'choosers', 'menus', etc - guis are for word > processors and file managers, not desktops), I can't even type in the > passphrase there. I generally like using FreeBSD caveman style, but > this is starting to drive me nuts. No meld/bzr==no work from home==no > happiness ;) > > Anyone have a 'standard' / FreeBSD-friendly best-practices for this? > I think I'm just cluttering up my system here. The problem you have is that you need to start ssh-agent(1) somewhere very early in your login process, so that your entire desktop environment can inherit all the necessary ssh-agent settings. Exactly what to do depends on how you get into X11. If you run startx(1) manually when you want to switch from console to X11 then you need to edit your ~/.xinitrc Alternatively, if you use a display manager like xdm(1) -- ie. there's an X based graphical login -- then you have two choices: edit your ~/.xsession or tweak the pam configuration for your login manager. If you want to go the 'edit .xinitrc or .xsession' route then you need to do basically the same thing for either of those two files. They're pretty much just scripts that start up the initial X applications for your login session: practically speaking, that means starting up your window manager. It's possible you don't have either of those files explicitly in your account: in either case the system will run a standard default script if it can't find a user specific version. The .xinitrc or .xsession file should look something like this: #!/bin/sh # Import user environment settings . ${HOME}/.profile eval $( ssh-agent -s ) # Eg. pop up an xterm so you can enter your ssh passphrase xterm -geometry 80x24-91+0 -e /usr/bin/ssh-add -c ${HOME}/.ssh/id_rsa & # Note: no '&' -- this should run in the foreground xfce eval $( ssh-agent -k ) # # That's All Folks! # This is just a rough outline, which you should adapt to your own needs - -- in particular there are nicer apps you can use for entering a passphrase. Also note that you can probably omit that bit from the .xinitrc or .xsession and have your window manager run it. In any case, the important bits are the two 'eval' lines bracketing the window-manager startup. The other possibility -- which is only available if you are using a display manager like xdm(1) -- is tweaking the pam settings. For xdm, edit the file /etc/pam.d/xdm and uncomment the two lines mentioning pam_ssh. Now you will be able to log into your system via xdm using your ssh passphrase, and xdm will start up ssh-agent for your session and add your key to it. Different display managers will have their own pam.d files (either in /etc/pam.d or in /usr/local/etc/pam.d) but you should be able to make equivalent changes there -- either uncomment or add pam_ssh lines in the auth or session sections. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwIo58ACgkQ8Mjk52CukIxm/ACgjwPTgJjq8YjN/e1uwD9be2xj vBcAoIQ8aP+1pyV/050ooHCr9yUFjuXh =S7kV -----END PGP SIGNATURE-----