With keychain you only have to provide the passphrase for your (ssh and other) key once and can then connect to any machine that has authorized that key. So far so good.
However when logging in locally you still have to enter your unix password. In practice usually means that you have to enter your password and then your passphrase when you first log in. It doesn't have to be that way.
Simply install sys-auth/pam_ssh and edit /etc/pam.d/system-auth to look like the example provided on pam_ssh's homepage.
auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_ssh.so auth sufficient /lib/security/pam_unix.so try_first_pass likeauth nullok auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session sufficient /lib/security/pam_ssh.so session required /lib/security/pam_unix.so
(This is the example from upstream don't overwrite the existing system-auth with it, use your brain.)
One important thing to notice is that pam_permit.so has been replaced with pam_deny.so. I don't know why gentoo uses pam_permit.so in the first place but I remember that it didn't use to be that way. Also the pam documentation has to say this about pam_permit.so: "This module is very dangerous. It should be used with extreme caution."
The reason why we have to replace pam_permit.so with pam_deny.so is that we have nolonger auth-require pam_unix.so and also do not require pam_ssh.so. This way users that do not have an ssh key can still login using their unix password while does that do have a key will use pam_ssh.so to login.
It is probably a good idea to change your password to be identical to your keys passphrase - your are not going to use your password very much from here on and might forget it... at least if you have passwords of the kind I have (I have no idea what characters it contains but my fingers remember what has to be done.)
Also try to login without providing a password. If this succeeds (and no ssh-agent already stores your key) then you really have to double check your configuration.
Last edited by tarsius (2011-02-01 19:54:02)
I think you should change md5 to sha512 (it is standard in gentoo for already some time).
Also one password for key and system login is unsecure, I would not suggest that ever. pam_usb may be nice idea to skip login process.
I think this is a very interesting way to configure your system and this would be good information to migrate to the wiki.
Piotr: Yes. The example above was copied straight from upstream. I have updated the original post to emphasize that it shouldn't be used as is.
Head Honcho: I agree, however I just bought some nice boxes at IKEA... No seriously I have added it to my TODO.
If someone else wants to put this on the wiki without much added information please feel free to do so. I can give you some additional pointers.
Before I do that myself however I want to learn a bit more about pam and especially pam_gpg (also known as poldi). Also I just discovered that this might not work with 'su -'.