i have been confused for a very long time about how ssh-agent works. In fact i did not even know a ssh_agent came with openssh. When the ssh-agent and pam useflags are set it should depend on sys-auth/pambase[pam_ssh]. Which is required to start the ssh agent when a user logs in. This should make things more clear and automated.
The problem is even when you have compiled openssh with pam USE flag being enabled, you can still disable usage of pam in sshd by setting UsePAM no in your /etc/ssh/sshd_config file.
Yeah but that does not affect pam launching ssh-agent i think? Maybe i am misunderstanding things a bit here.
Just my $.02 as a heavy ssh user... It is true that this has nothing at all to do with UsePAM in sshd_config. Normally ssh-agent is a client side thing not a server side thing. OTOH, use of ssh-agent does not require pam to auto-launch it at login time (I have been using ssh-agent for years and didn't even know pam could do that until I read this bug). Therefore, I would suggest matching the USE flag with pambase and calling it pam-ssh or maybe pam-ssh-agent. I would interpret the existence of a USE flag called "ssh-agent" to mean include or not include ssh-agent and I would set it which would then cause me problems because I expect ssh-agent to not be running at login until I start it. OTOH, I am not sure this really matters. The auto-launching of ssh-agent by pam is a pam feature and it is already properly USE flagged there. All combinations of USE flags on openssh will install ssh-agent and that is all openssh really has to do with it.
"Normally ssh-agent is a client side thing not a server side thing." As far as i now openssh builds both the server and client. Meaning that a ssh-agent on the openssh package refers to the client use of ssh-agent, it would depend on pam ssh-agent. This has nothing to do with the server side in openssh.
there is no hard binding between openssh and pambase[pam_ssh] openssh provides ssh-agent. it provides a server. it provides a client. these things optionally support pam. pambase includes a module to simplify launching of the ssh-agent via pam. this functionality is not required for openssh to fully function. it's simply a nice feature that some people like. hence it makes no sense for openssh to require an optional feature like pam_ssh. no functionality on the openssh side requires or is impacted by that setting. if you want this functionality, then enable it yourself. as Kevin Korb said, it's always been easy to have ssh-agent auto launch at login time. i too have been doing this for years w/out pam. all you need is to tweak your personal login shell scripts.
"as Kevin Korb said, it's always been easy to have ssh-agent auto launch at login time." Easy is relative, especially for newbie users that dont now what they are doing. They might be missing ssh-agent compared to other distros and dont now how to activate it.(happened to me, did not even now there was such as thing until i looked at pam) So even if it easy for you in your usage case doesnt mean it applies to the "masses" and this is what many gentoo devs simply dont get. "this functionality is not required for openssh to fully function." ALL USE flags are not required for a fully function package (most of the them anyway), yet they are there. There are countless of use flags that pull in dependencies that are not required at all, and sometimes the libs are even detected at run-time and not compile-time. "hence it makes no sense for openssh to require an optional feature like pam_ssh. no functionality on the openssh side requires or is impacted by that setting. if you want this functionality, then enable it yourself." A USE flag is not a requirement. And you are missing the entire point. Expecting people to set up a feature in a login shell script(who does that?) which they dont even know the existence of, but yet they expect the functionality, is totally insane.
(In reply to C.J. Wijtmans from comment #6) sorry, but no. nothing in your argument suggests a change is needed for openssh. USE flags are not designed to add frivolous dependencies. they are to control functionality in the package itself. there is no functionality in openssh to control, hence modifying the openssh makes no sense. the pambase guys might consider changing the default IUSE so that pam_ssh is enabled by default.
First off, I want to say thanks to the original poster on this. This bug was the very first time I had heard of pam_ssh but I tried it and I liked it so I switched to it. However, I did not use the pam_ssh USE flag on pambase I just installed sys-auth/pam-ssh and added it to pam's [gkx]dm config files so it only applies to desktop logins. I did this because I didn't want su to fork off a separate ssh-agent I wanted it to continue to use my user level ssh-agent. That being said, most users coming from other distros probably don't even know about ssh-agent. Most of them would be used to gnome-keyring, kwallet, seahorse, or keychain. Plain ssh-agent is for people who use plain console logins or very old window managers (I use fvwm). Anyway, I do agree that this shouldn't be a USE flag on net-misc/openssh. I believe it would only cause confusion. Especially since there is also the sys-auth/pam_ssh_agent_auth package which appears to offer the same functionality though I didn't try it out. But thanks for the pointer to a neat trick I hadn't seen before. Now I no longer have to type in my local password and my key passphrase when I boot up my laptop or desktop.
KWallet does not do what ssh-agent does. I dont know about gnome-keyring but i dont think so either.
looks like bug 304729 needs to be fixed before we can think about enabling this
Over years notice: pambase can function without pam_ssh at all, not all people even know what is that. So, no default.
