Here is a PAM module that allows users to authenticate by typing their SSH passphrases into KDM, the login program, or anything else with PAM support. If used as a session module as well, an ssh-agent is started and the private key is added on behalf of the user. If your users only login via SSH or directly on the console, you can get rid of UNIX passwords in /etc/master.passwd. Naturally, this module is only for use when logging onto the console. The module should be placed after pam_cleartext_pass_ok.so in /etc/pam.conf, and users should be informed what situations are inappropriate for typing their SSH passphrases. The patches below apply to the OpenSSH port. (They are meant to be applied before any of the patches in the "patches" subdirectory.) How-To-Repeat: This module works best with KDM, which has full PAM support. Configure it with --with-pam, apply the patch I submitted in ports/15157, recompile, and reinstall KDM. Apply the patches below to the OpenSSH sources, and then install the port. Add the following lines to /etc/pam.conf: xdm auth sufficient pam_skey.so xdm auth requisite pam_cleartext_pass_ok.so xdm auth sufficient pam_ssh.so try_first_pass xdm auth required pam_unix.so try_first_pass xdm account required pam_unix.so xdm session optional pam_ssh.so Kill and restart KDM.
Responsible Changed From-To: freebsd-ports->green Over to maintainer
State Changed From-To: open->closed Great job! Thanks for the PAM module; it's been committed, with a few slight changes (i.e. adding the copyright and a few style things.) .