Create protected passwordless ssh logins - Part 1 of 3

Jan 12, '04 08:22:00AM

Contributed by: jaysoffian

I debated posting this since there is already the excellent sshLogin to achieve the same goals outlined herein. Namely, passwordless ssh logins using RSA/DSA keys combined with the security of a passphrase protected identity file. I tried using sshLogin for a little while, but I wasn't quite happy with it. For one thing, I didn't like that whenever I logged in, sshLogin would briefly fire up an application (which would appear in my dock) to do its work. Secondly, it appeared to be a little heavy weight for my needs. And perhaps I had a little bit of not-invented-here syndrome.

In any case, this is a three-part tip since I think that even if you continue to use sshLogin, you'll find parts of this useful. Part 1 (this hint) will implement per-user login and logout hooks; Part 2 implements a Keychain command line utility; and Part 3 implements the whole process.

[robg adds: This three-part hint is quite advanced; I have not tested any of it, so you're on your own if you choose to try it on your machine. Before proceeding, you should have a solid level of knowledge concerning the Terminal, text editors, creating executable files, etc.]

Part 1: Implementing per-user Login/Logout hooks

As you may be aware, OS X provides a facility to run a command whenever a user logs in or out. However, this command is always run as root and is passed as an argument the username of the user logging in. I wanted to allow for per-user Login hooks on my system. Here's how I did it:

  1. Create the directory /Library/Hooks. Place in this directory a single shell-script, called LoginHook, whose contents are:
    #!/bin/sh
    hook="/Users/$1/Library/Hooks/`basename $0`"
    [ -x "$hook" ] || exit 0
    exec su - -f "$1" -c "$hook" "$@"
    

    [ IMPORTANT - this script assumes user home directories are still in the default location of /Users/. If you've moved them, either adjust this script, or figure out how to make it more complicated by looking up the user home directories dynamically via something like getpwnam() ... ]

  2. Make sure the file and directory have proper ownership and permissions:
    # chmod -R 755 /Library/Hooks
    # chown -R root:wheel /Library/Hooks
    
  3. Create a link to this file, called LogoutHook:
    # ln /Library/Hooks/LoginHook /Library/Hooks/LogoutHook
    
  4. Enable the login hooks via the defaults command:
    # defaults write com.apple.loginwindow LoginHook "/Library/Hooks/LoginHook"
    # defaults write com.apple.loginwindow LogoutHook "/Library/Hooks/LogoutHook"
    

    [ IMPORTANT - you have to run the defaults command as root, or via sudo, otherwise you'll update your personal com.apple.loginwindow prefence file and not the global one. ]

    [ IMPORTANT - if you're using sshLogin, it will have already set these values. Other similar-type utilities may also set these hooks. Make sure you preserve the current settings for LoginHook and LogoutHook (defaults read com.apple.loginwindow) in case you want to back-out these changes. ]

That's it, you should now have per-user Login/Logut hooks enabled.

As for what to do with them, see part 3 of this tip (but you might want to see part 2 first...) :-)

Comments (7)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20031217081557968