Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Create protected passwordless ssh logins - Part 1 of 3 UNIX
I debated posting this since there is already the excellent sshLogin to achieve the same goals outlined herein. Namely, passwordless ssh logins using RSA/DSA keys combined with the security of a passphrase protected identity file. I tried using sshLogin for a little while, but I wasn't quite happy with it. For one thing, I didn't like that whenever I logged in, sshLogin would briefly fire up an application (which would appear in my dock) to do its work. Secondly, it appeared to be a little heavy weight for my needs. And perhaps I had a little bit of not-invented-here syndrome.

In any case, this is a three-part tip since I think that even if you continue to use sshLogin, you'll find parts of this useful. Part 1 (this hint) will implement per-user login and logout hooks; Part 2 implements a Keychain command line utility; and Part 3 implements the whole process.

[robg adds: This three-part hint is quite advanced; I have not tested any of it, so you're on your own if you choose to try it on your machine. Before proceeding, you should have a solid level of knowledge concerning the Terminal, text editors, creating executable files, etc.]

Part 1: Implementing per-user Login/Logout hooks

As you may be aware, OS X provides a facility to run a command whenever a user logs in or out. However, this command is always run as root and is passed as an argument the username of the user logging in. I wanted to allow for per-user Login hooks on my system. Here's how I did it:

  1. Create the directory /Library/Hooks. Place in this directory a single shell-script, called LoginHook, whose contents are:
    #!/bin/sh
    hook="/Users/$1/Library/Hooks/`basename $0`"
    [ -x "$hook" ] || exit 0
    exec su - -f "$1" -c "$hook" "$@"
    

    [ IMPORTANT - this script assumes user home directories are still in the default location of /Users/. If you've moved them, either adjust this script, or figure out how to make it more complicated by looking up the user home directories dynamically via something like getpwnam() ... ]

  2. Make sure the file and directory have proper ownership and permissions:
    # chmod -R 755 /Library/Hooks
    # chown -R root:wheel /Library/Hooks
    
  3. Create a link to this file, called LogoutHook:
    # ln /Library/Hooks/LoginHook /Library/Hooks/LogoutHook
    
  4. Enable the login hooks via the defaults command:
    # defaults write com.apple.loginwindow LoginHook "/Library/Hooks/LoginHook"
    # defaults write com.apple.loginwindow LogoutHook "/Library/Hooks/LogoutHook"
    

    [ IMPORTANT - you have to run the defaults command as root, or via sudo, otherwise you'll update your personal com.apple.loginwindow prefence file and not the global one. ]

    [ IMPORTANT - if you're using sshLogin, it will have already set these values. Other similar-type utilities may also set these hooks. Make sure you preserve the current settings for LoginHook and LogoutHook (defaults read com.apple.loginwindow) in case you want to back-out these changes. ]

That's it, you should now have per-user Login/Logut hooks enabled.

As for what to do with them, see part 3 of this tip (but you might want to see part 2 first...) :-)

    •    
  • Currently 1.80 / 5
  You rated: 3 / 5 (5 votes cast)
 
[13,637 views]  

Create protected passwordless ssh logins - Part 1 of 3 | 7 comments | Create New Account
Click here to return to the 'Create protected passwordless ssh logins - Part 1 of 3' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Create protected passwordless ssh logins - Part 1 of 3
Authored by: jaysoffian on Jan 12, '04 12:24:53PM
Re: this script assumes user home directories are still in the default location of /Users/.

That should be: /Users/<username>

---
j.


[ Reply to This | # ]

Create protected passwordless ssh logins - Part 1 of 3
Authored by: monickels on Jan 12, '04 12:29:51PM

From what I can tell, these scripts do not run on wake. This is an important part which has been missing from all passwordless-SSH hints and tools I have seen. Particularly since, in OS X, one is more likely to put a machine to sleep rather than shut it down.



[ Reply to This | # ]
Create protected passwordless ssh logins - Part 1 of 3
Authored by: timhaigh on Jan 12, '04 02:17:04PM

The best way to set up SSH for newbies is to read this howto that I found a couple of years ago.


http://macmedic.co.uk/howto/ssh.html



[ Reply to This | # ]
Create protected passwordless ssh logins - Part 1 of 3
Authored by: jaysoffian on Jan 12, '04 04:29:10PM

I assume you're referring to removing the ssh keys from ssh-agent (or locking ssh-agent) just before going to sleep, and then unlocking ssh-agent once the machine wakes up.

I don't really see a reason to do that. The purpose of locking/unlocking ssh-agent would be to prevent unauthorized use of your keys while you are away from the computer. But if the computer is asleep, the keys are safe.

However, it would be useful to lock ssh-agent whenever your screen is locked, and then unlock ssh-agent when you unlock the screen.

That's something I'm working on. It's actually not that hard, just need to write a quick program that receives notifications when the screen is locked/unlocked. You'd also might want to lock ssh-agent when Fast User Switching is in use and your user is switched out.

j.



[ Reply to This | # ]
Create protected passwordless ssh logins - Part 1 of 3
Authored by: loosifer on Jan 19, '04 12:15:35PM
There's another good tool out there for this that I just discovered:

http://www.sshkeychain.org/

It's simple, it doesn't have to show anything in the Dock (although you have to choose the dock _or_ the menu bar). It's also got just the right options for when to add and remove the keys, and very simple setup including the global variables so the agent inherits everywhere. Even includes builtin integration with CVS. Very nice.

[ Reply to This | # ]

Create protected passwordless ssh logins - Part 1 of 3
Authored by: jaysoffian on Mar 28, '06 07:34:19AM
Here's my current version of LoginHook/LogoutHook. Save this snippet as "SystemHook" then follow the comments to install it (you can delete SystemHook after that):

#!/bin/sh
#
# INSTALLATION INSTRUCTIONS:
# sudo mkdir /Library/Hooks
# sudo cp SystemHook /Library/Hooks/LoginHook
# sudo cp SystemHook /Library/Hooks/LogoutHook
# sudo chown -R root:wheel /Library/Hooks
# sudo chmod -R 755 /Library/Hooks
# sudo defaults write com.apple.loginwindow LoginHook /Library/Hooks/LoginHook
# sudo defaults write com.apple.loginwindow LogoutHook /Library/Hooks/LogoutHook
#
home="`niutil -readprop . "/users/$1" home`"
hook="$home/Library/Hooks/`basename $0`"
[ -x "$hook" ] || exit 0
exec su - -f "$1" -c "$hook" "$@"



[ Reply to This | # ]
Create protected passwordless ssh logins - Part 1 of 3
Authored by: johnrchang on Dec 21, '06 12:00:41PM
What's the point of this? Why not use a public key (or at least an ssh-agent instead of the loginwindow books)?

http://www.google.com/search?q=ssh+public+key+authentication


[ Reply to This | # ]