Unlock SSH keys on login using PAM.
As pam_ssh did not the job for me, I wrote pam_exec-ssh as a small replacement.
It is assumed that your login password is identical to the password of the keys.
For Arch Linux users is already a pam_exec-ssh-git package in the AUR.
Otherwise just copy the script, set the permissions and install the dependencies pam and expect.
cp pam_exec-ssh /usr/bin/pam_exec-ssh
chown root:root /usr/bin/pam_exec-ssh
chmod 755 /usr/bin/pam_exec-sshYou need a running ssh-agent that have to be started before you login.
You can start your agent manually or as a systemd user service.
Make sure that the socket path is correct.
pam_exec-ssh use /run/user/YOUR-USER-ID/ssh-agent.socket for it.
pam_exec-ssh does not to unlock all ssh keys at login.
It might be better to unlock only a selection of frequently used keys.
Create a directory that contains symlinks to all keys that are to be unlocked.
There are several locations that are checked for that directory:
~/.ssh/unlock.d~/.ssh/pam.d~/.config/ssh/unlock.d~/.config/ssh/pam.d
mkdir ~/.ssh/unlock.d
ln -s ~/.ssh/id_rsa ~/.ssh/unlock.d/id_rsaYou can check which keys are unlocked with ssh-add -l.
Add the PAM call to your PAM config:
auth optional pam_exec.so expose_authtok /usr/bin/pam_exec-ssh
To make sure that your keys are locked again you can restart your ssh-agent.
A good time to do this is when you lock your screen, so all keys are locked when you leave your device but the agent is still prepared for the next use.