> This is a problem as the passphrases for ssh keys can be different from > the user's system password. So the pam_ssh is definitely not a > replacement for ssh-agent. This is not an issue for pam_ssh, as pam_ssh may ask for the passphrase. There is a difference, though. Indeed with pam_ssh the passphrase is always asked for, with ssh-agent the passphrase is only asked for if the user launch ssh-add. With the following /etc/pam.d/gdm I login using a password checked by service=system-auth, then give the passphrase to pam_ssh in the auth phase, and the login succeed even if I give a bad passphrase. If the passphrase was right, the agent is launched in the session phase: #%PAM-1.0 auth required pam_env.so auth required pam_stack.so service=system-auth auth required pam_nologin.so auth optional pam_ssh.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session optional pam_console.so session optional pam_ssh.so Of course there are other usages of pam_ssh, for example it may be required in the auth phase. -- Pat -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
