summarylogtreecommitdiffstats
path: root/pam_ssh.install
blob: a6486e1486f792083671ed00d1fd31383063ca25 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

_define () {
	read -r -d '' ${1} || true
}

_define _CAVEAT_PRE_2_0 <<-'EOF'

	CAVEAT EMPTOR: Backward incompatible change, requires manual intervention:

	(See the abridged README and Changelog below).

	To sum up:
	. The "keyfiles" option has been removed.  You should edit your /etc/pam.d/???
	and remove it.

	. If ~/.ssh/id_(ed25519|(r|d|ecd)sa) exist, those will be used.

	. The module now also tries to authenticate against keys located in
	~/.ssh/login-keys.d/ (can be symlinks to the actual keys).

	. Additional keys in ~/.ssh/session-keys.d/ will be loaded too.



	Excerpt from pam_ssh 2.0 README:

	Per-user setup
	--------------

	pam_ssh will try to decrypt the traditional SSH keys, that is, files
	matching $HOME/.ssh/id_(ed25519|(r|d|ecd)sa).  pam_ssh will also try to
	decrypt all keys in the directories $HOME/.ssh/login-keys.d and
	$HOME/.ssh/session-keys.d, and (if your system administrator has
	configured your system thus) allow you to log in using any of these login
	keys. So if you want to log in by using an SSH key passphrase, you should
	create a login-keys.d directory and in this directory create (symbolic
	links to) all the keys you want to use as login keys. Nevertheless keys
	in the directory $HOME/.ssh/login-keys.d with .disabled or .frozen as
	suffix are ignored. The handling for keys in $HOME/.ssh/session-keys.d
	is similar bot those are not used for login purposes.


	Excerpt from pam_ssh 2.0 Changelog:

	Version 2.0 released
	====================

	2013-11-17  Wolfgang Rosenauer

		* pam_ssh.c: search additional keys in directory session-keys.d
		  Users having alternative keys (non-default names) and want them
		  unlocked at login with the passphrase and added to the agent
		  can now put or link them into .ssh/session-keys.d directory


	2013-11-10  Wolfgang Rosenauer

		[...]
		* pam_get_pass.c, pam_get_pass.h, pam_ssh.c:
		  [...]
		  Look for SSH keys in  $HOME/.ssh/login-keys.d/, given that SSH keys
		  with .disabled or .frozen as suffix are ignored.
		  "keyfiles" option has been removed
EOF

_is_older_than_2_0 () {
	local pkg_ver="$1"

	test $(vercmp "$pkg_ver" '2.0') -lt 0
}

post_upgrade () {
	local new_pkg_ver="$1"	# not used
	local old_pkg_ver="$2"

	if _is_older_than_2_0 $old_pkg_ver; then
		echo "$_CAVEAT_PRE_2_0"
	fi
}