/ Andreas | System administrator /

In a default Ubuntu, and probably any other modern Gnome based Linux desktop, the Gnome keyring takes the role of the ssh-agent. If this is not desirable you can tell the keyring not to do that by setting the gconf variable /apps/gnome-keyring/daemon-components/ssh to false.

$ gconftool -s –type bool /apps/gnome-keyring/daemon-components/ssh false

At the next login you should see your environment variable SSH_AUTH_SOCK pointing towards a more proper socket. Note that the real ssh-agent is still started, assuming Ubuntu, thanks to /etc/X11/Xsession.d/90×11-common_ssh-agent.

Autossh is a nice way to keep a ssh connection alive. This is especially useful when it comes to ssh tunnels. To make things even more automagicial I have now written the init script template autossh_tunnel.foo.

A few import facts regarding the script:

• Autossh 1.4 or later is required. Earlier versions of autossh doesn’t handle PID-files.
• The init script is based on the start-stop-daemon. Hence it will probably only work on Debian, Ubuntu and similar systems.
• There is no way to enter a password. A setup based on ssh-keys or similar is required.
• Autossh doesn’t handle every kind of ssh problem. Because of that it is possible for the initial connection to fail without the init script knowing about it.

This is by the way my first real init script. Any feedback on it would be greatly appreciated.

Been looking for a simple way to enabling  S/Key support in Linux. Once I found out the magical keyboards being OPIE and PAM it became almost trivial to allow ssh-logins using One Time Passwords (OTP).

The following instructions are specifically written to apply on Debian and Ubuntu. On a general note the concept should work on any Linux system using OpenSSH and PAM.

First of all you should install the package opie-server. It will give you the necessary PAM-module and some accompanying tools.

Now edit /etc/pam.d/ssh, remove (comment) the inclusion of common-auth, and add these lines.

auth       sufficient pam_unix.so
auth       sufficient pam_opie.so
auth       required  pam_deny.so

If you only want allow OTP-logins; this line will do.

auth       required   pam_opie.so

Next it’s time to edit /etc/ssh/sshd_config.

ChallengeResponseAuthentication yes

That’s it. Restart your sshd and it will be ready to accept OTP-logins. To initialize a user; run opiepasswd (equivivalent of keyinit). Responses are generated using opiekey.

Client-side it’s usually enough to install the package opie-client.

Manually removing entries from your known_hosts doesn’t take my of an effort. Still, it’s something you can grow tired of. Especially so after resent events (DSA-1571). That is why I’ve now written my very own line_removal.pl  script.

Basically you feed the script one or more line numbers. Corresponding lines in your ~/.ssh/known_hosts will then be deleted.

andreas@leto:~$ ./line_removal.pl 22
Removing line #22 from /home/andreas/.ssh/known_hosts

andreas@leto:~$ ./line_removal.pl 3 37 29
Removing line #37 from /home/andreas/.ssh/known_hosts
Removing line #29 from /home/andreas/.ssh/known_hosts
Removing line #3 from /home/andreas/.ssh/known_hosts

To be honest I really don’t know if I’ll ever use this script against more than one line at a time. Somehow it still seemed wrong not to support the option of feeding it multiple arguments.