From owner-freebsd-questions@FreeBSD.ORG Fri Jun 4 16:07:50 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC4821065670 for ; Fri, 4 Jun 2010 16:07:50 +0000 (UTC) (envelope-from bahamasfranks@gmail.com) Received: from mail-yw0-f182.google.com (mail-yw0-f182.google.com [209.85.211.182]) by mx1.freebsd.org (Postfix) with ESMTP id 8BC068FC1D for ; Fri, 4 Jun 2010 16:07:50 +0000 (UTC) Received: by ywh12 with SMTP id 12so719101ywh.14 for ; Fri, 04 Jun 2010 09:07:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=40qqd8P2NTvM9QM1KyjoOuxW3SWaR7Tx/yU0iIZl0O0=; b=xiSHwmZZZ0sPZcqXT6/Q4pEqtGbAUM+VOX0hQqvbWsBO37qY1WKfWW5+l0tLOqEWJ3 qTXwUwNlDBTrYLXr3f9FbXvYz5zosdBUYjhNaOG5tRvmaMzt8D+jm1PJTqkB5Rvj2Wxs DfF5O297Rjct03hfevP7Cyom+aWavA+CUcqJA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=qP6M/kP/WCK0sUJTeGuEJdQkKg5bmyk5FctiRRXikuTNxTrZbFo59stfRLk8ach88h l6Z/hL6S+ytkXahukNsodYdWVlihSvSIV2T3a8mIcHZDgJvcn36/yF+fhsszWh3fUNLM kSb3unceYXNMD7eBh11eMM5yYw0Mj/DmvZLYg= MIME-Version: 1.0 Received: by 10.231.187.3 with SMTP id cu3mr1426945ibb.75.1275667669077; Fri, 04 Jun 2010 09:07:49 -0700 (PDT) Received: by 10.231.168.2 with HTTP; Fri, 4 Jun 2010 09:07:48 -0700 (PDT) In-Reply-To: <4C08A39F.5@infracaninophile.co.uk> References: <4C08A39F.5@infracaninophile.co.uk> Date: Fri, 4 Jun 2010 09:07:48 -0700 Message-ID: From: Steve Franks To: Matthew Seaman Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: x11/xfce ssh-agent once per logon for minimal (no gnome/kde) installation X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jun 2010 16:07:50 -0000 On Thu, Jun 3, 2010 at 11:56 PM, Matthew Seaman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 04/06/2010 24:39:46, Steve Franks wrote: >> I'm totally lost. =A0What I desire is to put in my passphrase for my >> public key(s) when I logon to my box. =A0Since I usually install from >> ports and use xfce, I have no infrastructure for this, and I'm getting >> nowhere fast. =A0My Fedora box popped up a nice little "enter >> passphrase" box the very first time I ssh'd to my server, and now it >> 'just works'. =A0My FreeBSD boxes (which are many - everything *but* the >> laptop with Fedora), 'just don't work'. =A0I've installed everything >> with 'ssh' =A0and either 'key' or 'agent' in the name from >> ports/security, and gone through the manpages, and tweaked countless >> environment variables, but every time I ssh on a FreeBSD box, it >> stubbornly locates the terminal I started any gui's from (i.e. meld + >> bzr), and asks for the passphrase a great many times daily. =A0Add that >> I've started my gui with meld& (so as to continue using said terminal >> - don't love 'panels', 'choosers', 'menus', etc - guis are for word >> processors and file managers, not desktops), I can't even type in the >> passphrase there. =A0I =A0generally like using FreeBSD caveman style, bu= t >> this is starting to drive me nuts. =A0No meld/bzr=3D=3Dno work from home= =3D=3Dno >> happiness ;) >> >> Anyone have a 'standard' / FreeBSD-friendly best-practices for this? >> I think I'm just cluttering up my system here. > > The problem you have is that you need to start ssh-agent(1) somewhere > very early in your login process, so that your entire desktop > environment can inherit all the necessary ssh-agent settings. > > Exactly what to do depends on how you get into X11. =A0If you run > startx(1) manually when you want to switch from console to X11 then you > need to edit your ~/.xinitrc > > Alternatively, if you use a display manager like xdm(1) -- ie. there's > an X based graphical login -- then you have two choices: edit your > ~/.xsession or tweak the pam configuration for your login manager. > > If you want to go the 'edit .xinitrc or .xsession' route then you need > to do basically the same thing for either of those two files. =A0They're > pretty much just scripts that start up the initial X applications for > your login session: practically speaking, that means starting up your > window manager. =A0It's possible you don't have either of those files > explicitly in your account: in either case the system will run a > standard default script if it can't find a user specific version. > > The .xinitrc or .xsession file should look something like this: > > #!/bin/sh > > # Import user environment settings > . ${HOME}/.profile > > eval $( ssh-agent -s ) > > # Eg. pop up an xterm so you can enter your ssh passphrase > xterm -geometry 80x24-91+0 -e /usr/bin/ssh-add -c ${HOME}/.ssh/id_rsa & > > # Note: no '&' -- this should run in the foreground > xfce > > eval $( ssh-agent -k ) > # > # That's All Folks! > # > > This is just a rough outline, which you should adapt to your own needs > - -- in particular there are nicer apps you can use for entering a > passphrase. =A0Also note that you can probably omit that bit from the > .xinitrc or .xsession and have your window manager run it. =A0In any case= , > the important bits are the two 'eval' lines bracketing the > window-manager startup. > > The other possibility -- which is only available if you are using a > display manager like xdm(1) -- is tweaking the pam settings. =A0For xdm, > edit the file /etc/pam.d/xdm and uncomment the two lines mentioning > pam_ssh. =A0Now you will be able to log into your system via xdm using > your ssh passphrase, and xdm will start up ssh-agent for your session > and add your key to it. =A0Different display managers will have their own > pam.d files (either in /etc/pam.d or in /usr/local/etc/pam.d) but you > should be able to make equivalent changes there -- either uncomment or > add pam_ssh lines in the auth or session sections. > > =A0 =A0 =A0 =A0Cheers, > > =A0 =A0 =A0 =A0Matthew > > - -- > Dr Matthew J Seaman MA, D.Phil. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 7 Pri= ory Courtyard > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey =A0 =A0 Ramsgate > JID: matthew@infracaninophile.co.uk =A0 =A0 =A0 =A0 =A0 =A0 =A0 Kent, CT1= 1 9PW > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.14 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkwIo58ACgkQ8Mjk52CukIxm/ACgjwPTgJjq8YjN/e1uwD9be2xj > vBcAoIQ8aP+1pyV/050ooHCr9yUFjuXh > =3DS7kV > -----END PGP SIGNATURE----- > Ah, sometimes you're just a command away! I'm surprised I couldn't google this (too many ssh examples, all the x11+agent ones must be hidden). So for posterity, this is the relevant portion of .xinitrc file: ... export SSH_ASKPASS=3D/usr/local/bin/x11-ssh-askpass ;export SSH_ASKPASS eval $( ssh-agent -s ) ssh-add & xfce4-session eval $( ssh-agent -k ) .... I was using "exec xfce4-session" as in most of the examples for .xinitrc files, which seemed to be mucking things up - ditching the exec was one of the key steps on my system. Now, when I login, xfce starts normally, and concurrently, a nice little window pops up asking for my passphrase for my keys! Now I can ssh (and bzr) with impunity. Thanks! Steve