From owner-freebsd-stable@FreeBSD.ORG  Mon Oct 13 07:56:22 2003
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id D07B816A4B3; Mon, 13 Oct 2003 07:56:22 -0700 (PDT)
Received: from gilliam.users.flyingcroc.net (gilliam.users.flyingcroc.net
	[207.246.128.2])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 1579243F75; Mon, 13 Oct 2003 07:56:22 -0700 (PDT)
	(envelope-from joek@mail.flyingcroc.net)
Received: from mail.flyingcroc.net (zircon.staff.flyingcroc.net
	[207.246.150.92])h9DEuLlo047150;
	Mon, 13 Oct 2003 07:56:21 -0700 (PDT)
Message-ID: <3F8ABD15.2070601@mail.flyingcroc.net>
Date: Mon, 13 Oct 2003 07:56:21 -0700
From: Joe Kelsey <joek@mail.flyingcroc.net>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030701
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: stable@freebsd.org, gnome@freebsd.org
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Using pam_ssh with gdm
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Oct 2003 14:56:23 -0000

I want to use pam_ssh with gdm to "streamline" my login.  From reading 
the pam_ssh man page, it claims that the session module starts ssh-agent 
and passes any authenticated keys.  Keys get authenticated during the 
"auth" phase.

I currently have the following lines in /etc/pam.conf:

# GDM (GNOME Display Manager)
gdm     auth    required        pam_unix.so
gdm     auth    optional        pam_ssh.so                debug
gdm     account required        pam_unix.so               try_first_pass
gdm     session required        pam_ssh.so                debug
gdm     password required       pam_deny.so

During login, I get prompted for my ZUNIX password and for my SSH 
passphrase.  I enter both, and the authentication *always* fails on the 
first try, logging the following to syslog:

Oct 13 07:24:30 zircon gdm[186]: Couldn't open session for joek

Then, gdm resets and I reenter the password and passphrase.  The second 
time, I get in.  Apparantly, now ssh-agent has started, but pam_ssh did 
not pass along any authentication information, so I have to call ssh-add 
by hand to actually enter the key information.  This means that every 
time I log in, I have to type my password twice and my passphrase three 
times.

Notice that I set the "debug" flag to pam_ssh.  However, I cannot find 
any trace of debug information in any syslog.  I have even turned on 
/var/log/all.log (*.*) and I still get absolutely no information from pam.

What do I need to do to make pam_ssh actually do what the manual page 
says it does?  I want it to set up my keys with the ssh-agent it starts 
on the first try without this seemingly needless "first try failure".

I hope that someone has some information to help me out.  Does anyone 
actually *use* pam_ssh?

/Joe