blob: a6486e1486f792083671ed00d1fd31383063ca25 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
_define () {
read -r -d '' ${1} || true
}
_define _CAVEAT_PRE_2_0 <<-'EOF'
CAVEAT EMPTOR: Backward incompatible change, requires manual intervention:
(See the abridged README and Changelog below).
To sum up:
. The "keyfiles" option has been removed. You should edit your /etc/pam.d/???
and remove it.
. If ~/.ssh/id_(ed25519|(r|d|ecd)sa) exist, those will be used.
. The module now also tries to authenticate against keys located in
~/.ssh/login-keys.d/ (can be symlinks to the actual keys).
. Additional keys in ~/.ssh/session-keys.d/ will be loaded too.
Excerpt from pam_ssh 2.0 README:
Per-user setup
--------------
pam_ssh will try to decrypt the traditional SSH keys, that is, files
matching $HOME/.ssh/id_(ed25519|(r|d|ecd)sa). pam_ssh will also try to
decrypt all keys in the directories $HOME/.ssh/login-keys.d and
$HOME/.ssh/session-keys.d, and (if your system administrator has
configured your system thus) allow you to log in using any of these login
keys. So if you want to log in by using an SSH key passphrase, you should
create a login-keys.d directory and in this directory create (symbolic
links to) all the keys you want to use as login keys. Nevertheless keys
in the directory $HOME/.ssh/login-keys.d with .disabled or .frozen as
suffix are ignored. The handling for keys in $HOME/.ssh/session-keys.d
is similar bot those are not used for login purposes.
Excerpt from pam_ssh 2.0 Changelog:
Version 2.0 released
====================
2013-11-17 Wolfgang Rosenauer
* pam_ssh.c: search additional keys in directory session-keys.d
Users having alternative keys (non-default names) and want them
unlocked at login with the passphrase and added to the agent
can now put or link them into .ssh/session-keys.d directory
2013-11-10 Wolfgang Rosenauer
[...]
* pam_get_pass.c, pam_get_pass.h, pam_ssh.c:
[...]
Look for SSH keys in $HOME/.ssh/login-keys.d/, given that SSH keys
with .disabled or .frozen as suffix are ignored.
"keyfiles" option has been removed
EOF
_is_older_than_2_0 () {
local pkg_ver="$1"
test $(vercmp "$pkg_ver" '2.0') -lt 0
}
post_upgrade () {
local new_pkg_ver="$1" # not used
local old_pkg_ver="$2"
if _is_older_than_2_0 $old_pkg_ver; then
echo "$_CAVEAT_PRE_2_0"
fi
}
|