pam_ssh

[Andrew J. Korty]

Greetings.  Last year I completed a PAM module that provides
single sign-on behavior for UNIX using SSH.  Users are
authenticated by decrypting their SSH private keys with the
password provided (probably to XDM).  In the PAM session phase,
an ssh-agent process is started and any successfully decrypted
private keys are added.  Hence, users only type their logins and
passwords once at the beginning of a session.  As a side benefit,
system administrators can elect to rid the password database of
authentication data.

At the time I wrote pam_ssh, Theo de Raadt said he wanted to keep
the OpenSSH code base tightly-controlled, so my patches were not
imported.  FreeBSD was interested, however, and pam_ssh has been
part of the core ever since.

Now that the code has been performing well for a year in FreeBSD,
would you consider importing it into OpenSSH (where it truly
belongs, IMO)?

Btw, I recently added support for DSA keys, though the changes
have not yet been committed into FreeBSD.  I noticed that, even
though ssh-agent is able to cache DSA keys, ssh still doesn't
seem to be able to grab them from the agent.  I tried this with
pam_ssh as well as starting ssh-agent and running ssh-add
manually.  Am I confused, or is full DSA support still in the
works?

-- 
Andrew J. Korty, Principal Security Engineer
Office of the Vice President for Information Technology
Indiana University