<<< Date Index >>>     <<< Thread Index >>>

Re: sending through a remote MTA with ssh



On Thu, Feb 16, 2006 at 08:13:44PM +0100, Louis-David Mitterrand wrote:
> On Thu, Feb 16, 2006 at 02:06:35PM -0500, Derek Martin wrote:
> > On Thu, Feb 16, 2006 at 06:56:20PM +0000, Chris Green wrote:
> > > > Presumably by "set up secure keys and allow passwordless login without
> > > > using ssh_agent" you mean you've created keys with no passphrase.
> > >  
> > > Yes, sorry, that's the one.  It's a while since I did it so I'd
> > > forgotten the details.  .... and I did read all about the security
> > > risks.
> > 
> > No doubt, but there are potentially lots of other eyes (the original
> > poster, for example) reading this thread who are probably not aware of
> > the risks... ;-)
> 
> Thanks for your concern :) I am the OP and have clearly stated in a 
> subsequent message that I use ssh-agent with an xdm single-signon 
> pam_ssh module, so my ssh keys are encrypted, and I wouldn't have it any 
> other way. There really is no reason to keep ssh UN-encrypted ssh keys, 
> since it's so easy to start ssh-agent upon entering one's window 
> manager.

For all practial purposes here is how I do it:

1) use a ssh key passphrase identical to my unix password

2) install pam_ssh module

3) modify /etc/pam.d/xdm (kdm, gdm, etc.):

        --- xdm.orig    2004-04-28 10:41:01.000000000 +0200
        +++ xdm 2006-01-11 11:39:44.000000000 +0100
        @@ -1,8 +1,10 @@
        -# $Id: xdm.pam 1325 2004-04-28 08:41:01Z branden $
        +# $Id: xdm.pam 189 2005-06-11 00:04:27Z branden $
         
                 @include common-auth
                +@include pam-ssh-auth
                 @include common-account
                 @include common-session
                +@include pam-ssh-session
                 @include common-password

Done! ssh-agent will run with your main ssh key loaded once logged in 
your X session.

-- 
If I want your opinion I'll give you one.