Using pam_ssh with gdm
Joe Kelsey
joek at mail.flyingcroc.net
Tue Oct 14 07:20:05 PDT 2003
Volker Stolz wrote:
> Am 13. Oct 2003 um 16:56 CEST schrieb Joe Kelsey:
>
>>first try, logging the following to syslog:
>>Oct 13 07:24:30 zircon gdm[186]: Couldn't open session for joek
>>
>>Then, gdm resets and I reenter the password and passphrase. The second
>>time, I get in. Apparantly, now ssh-agent has started, but pam_ssh did
>>not pass along any authentication information, so I have to call ssh-add
>>by hand to actually enter the key information. This means that every
>>time I log in, I have to type my password twice and my passphrase three
>>times.
>
>
> The first thing you're probably experiencing is this:
> http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/45669
>
> Description
> The pam_ssh module uses popen() to start an ssh-agent for the user during PAM
> authentication. However, pclose() causes the pam-module to return an error if
> somebody else already called waitpid(-1,...) because now pclose returns -1
> and errno is set to ECHILD (observed with gdm who uses a whole bunch of processes).
That fits exactly! I stumbled on a gdm error message in the logs about
ssh-agent and child processes. I run 4-STABLE, your PR relates to
5-CURRENT. Has anyone doen anything about fixing this in 4-STABLE?
Also, switching to only using my ssh passpharase doesn't tickle the
ssh-agent child process bug.
Also, why doesn't pam_ssh export my identities into ssh-agent? I still
have to do a separate ssh-add to load the keys into ssh-agent. The
pam_ssh man page still says that it does this, but obviously it doesn't.
/Joe
More information about the freebsd-stable
mailing list