pam_ssh man page

pam_ssh — authentication and session management with SSH private keys

Synopsis

[service-name] module-type control-flag pam_ssh [options]

Description

The SSH authentication service module for PAM, pam_ssh provides functionality for two PAM categories: authentication and session management. In terms of the module-type parameter, they are the “auth” and “session” features. It also provides null functions for the remaining categories.

SSH Authentication Module

The SSH authentication component provides a function to verify the identity of a user (pam_sm_authenticate()), by prompting the user for a passphrase and verifying that it can decrypt the target user's SSH key using that passphrase.

The following options may be passed to the authentication module:

debug
syslog(3) debugging information at LOG_DEBUG level.
use_first_pass
If the authentication module is not the first in the stack, and a previous module obtained the user's password, that password is used to authenticate the user. If this fails, the authentication module returns failure without prompting the user for a password. This option has no effect if the authentication module is the first in the stack, or if no previous modules obtained the user's password.
try_first_pass
This option is similar to the use_first_pass option, except that if the previously obtained password fails, the user is prompted for another password.
keyfiles
Specify the comma-separated list of files in $HOME/.ssh to check for SSH keys. The default is “id_dsa,id_rsa,identity”.
nullok
Allow empty passphrases.

SSH Session Management Module

The SSH session management component provides functions to initiate (pam_sm_open_session()) and terminate (pam_sm_close_session()) sessions. The pam_sm_open_session() function starts an SSH agent, passing it any private keys it decrypted during the authentication phase, and sets the environment variables the agent specifies. The pam_sm_close_session() function kills the previously started SSH agent by sending it a SIGTERM.

The following options may be passed to the session management module:

debug
syslog(3) debugging information at LOG_DEBUG level.

Files

$HOME/.ssh/identity
SSH1/OpenSSH RSA key
$HOME/.ssh/id_dsa
OpenSSH DSA key
$HOME/.ssh2/id_rsa_*
SSH2 RSA keys
$HOME/.ssh2/id_dsa_*
SSH2 DSA keys
/var/run/pam_ssh/<user>*
ssh-agent environment information. The files are owned by the superuser but readable by the users. The location is Fedora specific, in the original package these files are in $HOME/.ssh/agent-*

See Also

ssh-agent(1), syslog(3), pam.conf(5), pam(8)

Authors

Andrew J. Korty ⟨ajk@iu.edu⟩ wrote pam_ssh. Dag-Erling Smorgrav wrote the original OpenPAM support code. Mark R V Murray wrote the original version of this manual page.

Info

November 26, 2001