Re: sending through a remote MTA with ssh
On Thu, Feb 16, 2006 at 08:13:44PM +0100, Louis-David Mitterrand wrote:
> On Thu, Feb 16, 2006 at 02:06:35PM -0500, Derek Martin wrote:
> > On Thu, Feb 16, 2006 at 06:56:20PM +0000, Chris Green wrote:
> > > > Presumably by "set up secure keys and allow passwordless login without
> > > > using ssh_agent" you mean you've created keys with no passphrase.
> > >
> > > Yes, sorry, that's the one. It's a while since I did it so I'd
> > > forgotten the details. .... and I did read all about the security
> > > risks.
> >
> > No doubt, but there are potentially lots of other eyes (the original
> > poster, for example) reading this thread who are probably not aware of
> > the risks... ;-)
>
> Thanks for your concern :) I am the OP and have clearly stated in a
> subsequent message that I use ssh-agent with an xdm single-signon
> pam_ssh module, so my ssh keys are encrypted, and I wouldn't have it any
> other way. There really is no reason to keep ssh UN-encrypted ssh keys,
> since it's so easy to start ssh-agent upon entering one's window
> manager.
For all practial purposes here is how I do it:
1) use a ssh key passphrase identical to my unix password
2) install pam_ssh module
3) modify /etc/pam.d/xdm (kdm, gdm, etc.):
--- xdm.orig 2004-04-28 10:41:01.000000000 +0200
+++ xdm 2006-01-11 11:39:44.000000000 +0100
@@ -1,8 +1,10 @@
-# $Id: xdm.pam 1325 2004-04-28 08:41:01Z branden $
+# $Id: xdm.pam 189 2005-06-11 00:04:27Z branden $
@include common-auth
+@include pam-ssh-auth
@include common-account
@include common-session
+@include pam-ssh-session
@include common-password
Done! ssh-agent will run with your main ssh key loaded once logged in
your X session.
--
If I want your opinion I'll give you one.