pam_ssh
- authentication and session management with SSH private keys
DESCRIPTION
The
SSH
authentication service module for PAM,
provides functionality for two PAM categories:
authentication
and session management.
SSH Authentication Module
The
SSH
authentication component
verifies the identity of a user
by prompting the user for a passphrase and verifying that it can
decrypt at least one of the user's SSH login keys using that passphrase.
The following options may be passed to the authentication module:
debug
syslog(3)
debugging information at
LOG_DEBUG
level.
use_first_pass
If the authentication module
is not the first in the stack,
and a previous module
obtained the user's password,
then that password is used
to decrypt the user's SSH login keys.
If this fails,
then the authentication module returns failure
without prompting the user for a passphrase.
try_first_pass
Similar to the
use_first_pass
option,
except that if the previously obtained password fails to decrypt
any of the SSH login keys,
then the user is prompted for an SSH passphrase.
try_first_pass
has no effect if
pam_ssh
is the first module on the stack,
or if no previous modules
obtained the user's password.
allow_blank_passphrase
Allow SSH keys with no passphrase.
If neither
use_first_pass
nor
try_first_pass
is specified,
pam_ssh
will unconditionally ask for an SSH passphrase.
In addition to the above authentication procedure, all
standard SSH keys (identity, id_rsa, id_dsa) for which the
obtained password matches will be decrypted.
SSH Session Management Module
The
SSH
session management component
initiates sessions by starting an SSH agent,
passing it any SSH login keys it decrypted
during the authentication phase,
and sets the environment variables
accordingly.
The SSH
session management component
terminates the session by killing the previously started SSH agent
by sending it a
SIGTERM
The following options may be passed to the session management module:
debug
syslog(3)
debugging information at
LOG_DEBUG
level.
INFORMATION LEAKS
Be careful with the using the
try_first_pass
option when
pam_ssh
is the first authentication module
because it will then leak information about existing users
without login keys: such users will not be asked for a specific SSH
passphrase, whereas non-existing users and existing users with
login keys will be asked for a passphrase.
FILES
$HOME/.ssh/identity
$HOME/.ssh/id_rsa
$HOME/.ssh/id_dsa
OpenSSH DSA/RSA keys decrypted by pam_ssh.
$HOME/.ssh/login-keys.d/
Location of (possibly symbolic links to) OpenSSH DSA/RSA keys used for
authentication and decrypted by pam_ssh.
An -nosplit
An Andrew J. Korty Aq ajk@iu.edu
wrote
.
An Dag-Erling Smorgrav
wrote the original OpenPAM support code.
An Mark R V Murray
wrote the original version of this manual page.
An Jens Peter Secher
introduced the login-key concept.