Date: Fri, 4 Jun 2010 09:07:48 -0700 From: Steve Franks <bahamasfranks@gmail.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: x11/xfce ssh-agent once per logon for minimal (no gnome/kde) installation Message-ID: <AANLkTinI3VzlbkPxtCSfhuKy4j57ZWPLAv3w60vyOajt@mail.gmail.com> In-Reply-To: <4C08A39F.5@infracaninophile.co.uk> References: <AANLkTinH9tyjtehPBvzeixTW8oMUOCvWKqIU8l39shVY@mail.gmail.com> <4C08A39F.5@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jun 3, 2010 at 11:56 PM, Matthew Seaman
<m.seaman@infracaninophile.co.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/06/2010 24:39:46, Steve Franks wrote:
>> I'm totally lost. =A0What I desire is to put in my passphrase for my
>> public key(s) when I logon to my box. =A0Since I usually install from
>> ports and use xfce, I have no infrastructure for this, and I'm getting
>> nowhere fast. =A0My Fedora box popped up a nice little "enter
>> passphrase" box the very first time I ssh'd to my server, and now it
>> 'just works'. =A0My FreeBSD boxes (which are many - everything *but* the
>> laptop with Fedora), 'just don't work'. =A0I've installed everything
>> with 'ssh' =A0and either 'key' or 'agent' in the name from
>> ports/security, and gone through the manpages, and tweaked countless
>> environment variables, but every time I ssh on a FreeBSD box, it
>> stubbornly locates the terminal I started any gui's from (i.e. meld +
>> bzr), and asks for the passphrase a great many times daily. =A0Add that
>> I've started my gui with meld& (so as to continue using said terminal
>> - don't love 'panels', 'choosers', 'menus', etc - guis are for word
>> processors and file managers, not desktops), I can't even type in the
>> passphrase there. =A0I =A0generally like using FreeBSD caveman style, bu=
t
>> this is starting to drive me nuts. =A0No meld/bzr=3D=3Dno work from home=
=3D=3Dno
>> happiness ;)
>>
>> Anyone have a 'standard' / FreeBSD-friendly best-practices for this?
>> I think I'm just cluttering up my system here.
>
> The problem you have is that you need to start ssh-agent(1) somewhere
> very early in your login process, so that your entire desktop
> environment can inherit all the necessary ssh-agent settings.
>
> Exactly what to do depends on how you get into X11. =A0If you run
> startx(1) manually when you want to switch from console to X11 then you
> need to edit your ~/.xinitrc
>
> Alternatively, if you use a display manager like xdm(1) -- ie. there's
> an X based graphical login -- then you have two choices: edit your
> ~/.xsession or tweak the pam configuration for your login manager.
>
> If you want to go the 'edit .xinitrc or .xsession' route then you need
> to do basically the same thing for either of those two files. =A0They're
> pretty much just scripts that start up the initial X applications for
> your login session: practically speaking, that means starting up your
> window manager. =A0It's possible you don't have either of those files
> explicitly in your account: in either case the system will run a
> standard default script if it can't find a user specific version.
>
> The .xinitrc or .xsession file should look something like this:
>
> #!/bin/sh
>
> # Import user environment settings
> . ${HOME}/.profile
>
> eval $( ssh-agent -s )
>
> # Eg. pop up an xterm so you can enter your ssh passphrase
> xterm -geometry 80x24-91+0 -e /usr/bin/ssh-add -c ${HOME}/.ssh/id_rsa &
>
> # Note: no '&' -- this should run in the foreground
> xfce
>
> eval $( ssh-agent -k )
> #
> # That's All Folks!
> #
>
> This is just a rough outline, which you should adapt to your own needs
> - -- in particular there are nicer apps you can use for entering a
> passphrase. =A0Also note that you can probably omit that bit from the
> .xinitrc or .xsession and have your window manager run it. =A0In any case=
,
> the important bits are the two 'eval' lines bracketing the
> window-manager startup.
>
> The other possibility -- which is only available if you are using a
> display manager like xdm(1) -- is tweaking the pam settings. =A0For xdm,
> edit the file /etc/pam.d/xdm and uncomment the two lines mentioning
> pam_ssh. =A0Now you will be able to log into your system via xdm using
> your ssh passphrase, and xdm will start up ssh-agent for your session
> and add your key to it. =A0Different display managers will have their own
> pam.d files (either in /etc/pam.d or in /usr/local/etc/pam.d) but you
> should be able to make equivalent changes there -- either uncomment or
> add pam_ssh lines in the auth or session sections.
>
> =A0 =A0 =A0 =A0Cheers,
>
> =A0 =A0 =A0 =A0Matthew
>
> - --
> Dr Matthew J Seaman MA, D.Phil. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 7 Pri=
ory Courtyard
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey =A0 =A0 Ramsgate
> JID: matthew@infracaninophile.co.uk =A0 =A0 =A0 =A0 =A0 =A0 =A0 Kent, CT1=
1 9PW
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkwIo58ACgkQ8Mjk52CukIxm/ACgjwPTgJjq8YjN/e1uwD9be2xj
> vBcAoIQ8aP+1pyV/050ooHCr9yUFjuXh
> =3DS7kV
> -----END PGP SIGNATURE-----
>
Ah, sometimes you're just a command away! I'm surprised I couldn't
google this (too many ssh examples, all the x11+agent ones must be
hidden).
So for posterity, this is the relevant portion of .xinitrc file:
...
export SSH_ASKPASS=3D/usr/local/bin/x11-ssh-askpass ;export SSH_ASKPASS
eval $( ssh-agent -s )
ssh-add &
xfce4-session
eval $( ssh-agent -k )
....
I was using "exec xfce4-session" as in most of the examples for
.xinitrc files, which seemed to be mucking things up - ditching the
exec was one of the key steps on my system.
Now, when I login, xfce starts normally, and concurrently, a nice
little window pops up asking for my passphrase for my keys! Now I can
ssh (and bzr) with impunity.
Thanks!
Steve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinI3VzlbkPxtCSfhuKy4j57ZWPLAv3w60vyOajt>