Date: Fri, 4 Jun 2010 10:07:50 -0700 From: Steve Franks <bahamasfranks@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: x11/xfce ssh-agent once per logon for minimal (no gnome/kde) installation Message-ID: <AANLkTikmKDuYDkC7uJMYgNqO1iiVR8Hi8ndEUGTl0jrg@mail.gmail.com> In-Reply-To: <AANLkTinI3VzlbkPxtCSfhuKy4j57ZWPLAv3w60vyOajt@mail.gmail.com> References: <AANLkTinH9tyjtehPBvzeixTW8oMUOCvWKqIU8l39shVY@mail.gmail.com> <4C08A39F.5@infracaninophile.co.uk> <AANLkTinI3VzlbkPxtCSfhuKy4j57ZWPLAv3w60vyOajt@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 4, 2010 at 9:07 AM, Steve Franks <bahamasfranks@gmail.com> wrot=
e:
> On Thu, Jun 3, 2010 at 11:56 PM, Matthew Seaman
> <m.seaman@infracaninophile.co.uk> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 04/06/2010 24:39:46, Steve Franks wrote:
>>> I'm totally lost. =A0What I desire is to put in my passphrase for my
>>> public key(s) when I logon to my box. =A0Since I usually install from
>>> ports and use xfce, I have no infrastructure for this, and I'm getting
>>> nowhere fast. =A0My Fedora box popped up a nice little "enter
>>> passphrase" box the very first time I ssh'd to my server, and now it
>>> 'just works'. =A0My FreeBSD boxes (which are many - everything *but* th=
e
>>> laptop with Fedora), 'just don't work'. =A0I've installed everything
>>> with 'ssh' =A0and either 'key' or 'agent' in the name from
>>> ports/security, and gone through the manpages, and tweaked countless
>>> environment variables, but every time I ssh on a FreeBSD box, it
>>> stubbornly locates the terminal I started any gui's from (i.e. meld +
>>> bzr), and asks for the passphrase a great many times daily. =A0Add that
>>> I've started my gui with meld& (so as to continue using said terminal
>>> - don't love 'panels', 'choosers', 'menus', etc - guis are for word
>>> processors and file managers, not desktops), I can't even type in the
>>> passphrase there. =A0I =A0generally like using FreeBSD caveman style, b=
ut
>>> this is starting to drive me nuts. =A0No meld/bzr=3D=3Dno work from hom=
e=3D=3Dno
>>> happiness ;)
>>>
>>> Anyone have a 'standard' / FreeBSD-friendly best-practices for this?
>>> I think I'm just cluttering up my system here.
>>
>> The problem you have is that you need to start ssh-agent(1) somewhere
>> very early in your login process, so that your entire desktop
>> environment can inherit all the necessary ssh-agent settings.
>>
>> Exactly what to do depends on how you get into X11. =A0If you run
>> startx(1) manually when you want to switch from console to X11 then you
>> need to edit your ~/.xinitrc
>>
>> Alternatively, if you use a display manager like xdm(1) -- ie. there's
>> an X based graphical login -- then you have two choices: edit your
>> ~/.xsession or tweak the pam configuration for your login manager.
>>
>> If you want to go the 'edit .xinitrc or .xsession' route then you need
>> to do basically the same thing for either of those two files. =A0They're
>> pretty much just scripts that start up the initial X applications for
>> your login session: practically speaking, that means starting up your
>> window manager. =A0It's possible you don't have either of those files
>> explicitly in your account: in either case the system will run a
>> standard default script if it can't find a user specific version.
>>
>> The .xinitrc or .xsession file should look something like this:
>>
>> #!/bin/sh
>>
>> # Import user environment settings
>> . ${HOME}/.profile
>>
>> eval $( ssh-agent -s )
>>
>> # Eg. pop up an xterm so you can enter your ssh passphrase
>> xterm -geometry 80x24-91+0 -e /usr/bin/ssh-add -c ${HOME}/.ssh/id_rsa &
>>
>> # Note: no '&' -- this should run in the foreground
>> xfce
>>
>> eval $( ssh-agent -k )
>> #
>> # That's All Folks!
>> #
>>
>> This is just a rough outline, which you should adapt to your own needs
>> - -- in particular there are nicer apps you can use for entering a
>> passphrase. =A0Also note that you can probably omit that bit from the
>> .xinitrc or .xsession and have your window manager run it. =A0In any cas=
e,
>> the important bits are the two 'eval' lines bracketing the
>> window-manager startup.
>>
>> The other possibility -- which is only available if you are using a
>> display manager like xdm(1) -- is tweaking the pam settings. =A0For xdm,
>> edit the file /etc/pam.d/xdm and uncomment the two lines mentioning
>> pam_ssh. =A0Now you will be able to log into your system via xdm using
>> your ssh passphrase, and xdm will start up ssh-agent for your session
>> and add your key to it. =A0Different display managers will have their ow=
n
>> pam.d files (either in /etc/pam.d or in /usr/local/etc/pam.d) but you
>> should be able to make equivalent changes there -- either uncomment or
>> add pam_ssh lines in the auth or session sections.
>>
>> =A0 =A0 =A0 =A0Cheers,
>>
>> =A0 =A0 =A0 =A0Matthew
>>
>> - --
>> Dr Matthew J Seaman MA, D.Phil. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 7 Pr=
iory Courtyard
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0Flat 3
>> PGP: http://www.infracaninophile.co.uk/pgpkey =A0 =A0 Ramsgate
>> JID: matthew@infracaninophile.co.uk =A0 =A0 =A0 =A0 =A0 =A0 =A0 Kent, CT=
11 9PW
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAkwIo58ACgkQ8Mjk52CukIxm/ACgjwPTgJjq8YjN/e1uwD9be2xj
>> vBcAoIQ8aP+1pyV/050ooHCr9yUFjuXh
>> =3DS7kV
>> -----END PGP SIGNATURE-----
>>
>
>
> Ah, sometimes you're just a command away! =A0I'm surprised I couldn't
> google this (too many ssh examples, all the x11+agent ones must be
> hidden).
>
> So for posterity, this is the relevant portion of .xinitrc file:
> ...
> export SSH_ASKPASS=3D/usr/local/bin/x11-ssh-askpass ;export SSH_ASKPASS
> eval $( ssh-agent -s )
> ssh-add &
> xfce4-session
> eval $( ssh-agent -k )
> ....
>
> I was using "exec xfce4-session" as in most of the examples for
> .xinitrc files, which seemed to be mucking things up - ditching the
> exec was one of the key steps on my system.
>
> Now, when I login, xfce starts normally, and concurrently, a nice
> little window pops up asking for my passphrase for my keys! =A0Now I can
> ssh (and bzr) with impunity.
>
> Thanks!
> Steve
>
Oh, and if anyone needs a servicable reference to generating &
installing keys, I found this one handy:
http://sshkeychain.sourceforge.net/mirrors/SSH-with-Keys-HOWTO/SSH-with-Key=
s-HOWTO-4.html
Steve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTikmKDuYDkC7uJMYgNqO1iiVR8Hi8ndEUGTl0jrg>