pam_ssh (8) - Linux Manuals
pam_ssh: authentication and session management with SSH private keys
NAME
pam_ssh - authentication and session management with SSH private keysSYNOPSIS
[service-name ] module-type control-flag pam_ssh [options ]DESCRIPTION
The SSH authentication service module for PAM, provides functionality for two PAM categories: authentication and session management. In terms of the module-type parameter, they are the ``auth '' and ``session '' features. It also provides null functions for the remaining categories.SSH Authentication Module
The SSH authentication component provides a function to verify the identity of a user (Fn pam_sm_authenticate ) by prompting the user for a passphrase and verifying that it can decrypt the target user's SSH key using that passphrase.The following options may be passed to the authentication module:
- debug
- syslog(3) debugging information at LOG_DEBUG level.
- use_first_pass
- If the authentication module is not the first in the stack, and a previous module obtained the user's password, that password is used to authenticate the user. If this fails, the authentication module returns failure without prompting the user for a password. This option has no effect if the authentication module is the first in the stack, or if no previous modules obtained the user's password.
- try_first_pass
- This option is similar to the use_first_pass option, except that if the previously obtained password fails, the user is prompted for another password.
- keyfiles
- Specify the comma-separated list of files in $HOME/.ssh to check for SSH keys. The default is ``id_dsa,id_rsa,identity''
- nullok
- Allow empty passphrases.
SSH Session Management Module
The SSH session management component provides functions to initiate (Fn pam_sm_open_session ) and terminate (Fn pam_sm_close_session ) sessions. The Fn pam_sm_open_session function starts an SSH agent, passing it any private keys it decrypted during the authentication phase, and sets the environment variables the agent specifies. The Fn pam_sm_close_session function kills the previously started SSH agent by sending it a SIGTERMThe following options may be passed to the session management module:
- debug
- syslog(3) debugging information at LOG_DEBUG level.
FILES
- $HOME/.ssh/identity
- SSH1/OpenSSH RSA key
- $HOME/.ssh/id_dsa
- OpenSSH DSA key
- $HOME/.ssh2/id_rsa_*
- SSH2 RSA keys
- $HOME/.ssh2/id_dsa_*
- SSH2 DSA keys
- /var/run/pam_ssh/<user>*
- ssh-agent environment information. The files are owned by the superuser but readable by the users. The location is Fedora specific, in the original package these files are in $HOME/.ssh/agent-*
AUTHORS
An -nosplit An Andrew J. Korty Aq ajk [at] iu.edu wrote . An Dag-Erling Smorgrav wrote the original OpenPAM support code. An Mark R V Murray wrote the original version of this manual page.