Unlock SSH keys on login using PAM.

As pam_ssh did not the job for me, I wrote pam_exec-ssh as a small replacement. It is assumed that your login password is identical to the password of the keys.

For Arch Linux users is already a pam_exec-ssh-git package in the AUR.

Otherwise just copy the script, set the permissions and install the dependencies pam and expect.

cp pam_exec-ssh /usr/bin/pam_exec-ssh
chown root:root /usr/bin/pam_exec-ssh
chmod 755 /usr/bin/pam_exec-ssh

You need a running ssh-agent that have to be started before you login. You can start your agent manually or as a systemd user service.

Make sure that the socket path is correct. pam_exec-ssh use /run/user/YOUR-USER-ID/ssh-agent.socket for it.

Add the call to your PAM config:

auth		optional	pam_exec.so expose_authtok /usr/bin/pam_exec-ssh

Sometimes it is useful not to unlock all ssh keys at the login and is better to unlock a selection of often used keys. Create a directory unlock.d at your local .ssh path and set up symlinks to all keys that should be unlocked.

mkdir ~/.ssh/unlock.d
ln -s ~/.ssh/id_rsa ~/.ssh/unlock.d/id_rsa

You can check which keys are unlocked with ssh-add -l.

To make sure that your keys are locked again you can restart your ssh-agent. A good time to do this is when you lock your screen, so all keys are locked when you leave your device but the agent is still prepared for the next use.