As part of a contract, I ported pam_ssh to Solaris 9 and 10 (x86 and SPARC). I've submitted the code back upstream, but pending the patch submission process, I've uploaded the code here in case anybody desperately needs to make this work in the interim.
This PAM module provides single sign-on behavior for SSH. The user types an SSH passphrase when logging in (probably to GDM, KDM, or XDM) and is authenticated if the passphrase successfully decrypts the user's SSH private key. In the PAM session phase, an ssh-agent process is started and keys are added. For the entire session, the user can SSH to other hosts that accept key authentication without typing any passwords.
- From: http://developer.novell.com/wiki/index.php/Pam_ssh
The official site for pam_ssh is http://pam-ssh.sourceforge.net/. pam_ssh is licensed under a variety of OSS licenses, please see the included file COPYING for details.
Get pam_ssh for Solaris:
- pam_ssh-1.97-bovine.tar.gz - pam_ssh 1.97 with patch applied
- pam_ssh-1.97-bovine.patch - Patch for pam_ssh 1.97
Note: The patch was created via hg diff and as a result will not apply with Solaris 10's default patch application. You will need to use a more modern patch program or grab the tarball.
- Install automake, autoconf and libtool (I use the CSW versions via pkg-get).
- Add these tools and gcc to your path. I used export PATH="/usr/sfw/bin:/opt/csw/bin:$PATH"
- Run: export MAKE=gmake
- Run: ./bootstrap.sh && ./configure && make && make install
- Edit /etc/pam.conf, for example, by adding the lines in bold:
login auth requisite pam_authtok_get.so.1 login auth sufficient pam_ssh.so try_first_pass login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_dial_auth.so.1
other auth requisite pam_authtok_get.so.1 other auth sufficient pam_ssh.so try_first_pass other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_unix_auth.so.1
- You should now be right to log in with an SSH key passphrase and have the ssh-agent start running.