table of contents
PAM_SSH(8) | System Manager's Manual | PAM_SSH(8) |
NAME¶
pam_ssh
—
authentication and session management with SSH
private keys
SYNOPSIS¶
[service-name
]
module-type
control-flag
pam_ssh
[options
]
DESCRIPTION¶
The SSH authentication service module for PAM,pam_ssh
provides functionality for two PAM
categories: authentication and session management. In terms of the
module-type parameter, they are the
“auth
” and
“session
” features. It also provides
null functions for the remaining categories.
SSH Authentication Module¶
The SSH authentication component verifies the identity of a user by prompting the user for a passphrase and verifying that it can decrypt at least one of the user's SSH login (or authentication) keys using that passphrase. The user's SSH login keys must be either located or symbolically linked into the per-user dedicated folder ~/.ssh/login-keys.d/ in the user's home directory. The following options may be passed to the authentication module:debug
- syslog(3) debugging information at
LOG_DEBUG
level. use_first_pass
- If the authentication module is not the first in the stack, and a previous module obtained the user's password, that password is used to decrypt the user's SSH login keys. If this fails, then the authentication module returns failure without prompting the user for a passphrase.
try_first_pass
- Similar to the
use_first_pass
option, except that if the previously obtained password fails to decrypt any of the SSH login keys, then the user is prompted for an SSH passphrase. nullok
- Allow SSH keys with no passphrase.
use_first_pass
nor
try_first_pass
is specified,
pam_ssh
will unconditionally ask for an SSH
passphrase.
The now deprecated name
allow_blank_passphrase
for
nullok
is kept for compatibility reasons.
SSH Session Management Module¶
The SSH session management component initiates sessions by launching an SSH agent, passing it any user's SSH login keys successfully decrypted during the authentication phase and any additional user SSH session keys successfully decrypted, and sets dedicated environment variables accordingly; the environment variable TMPDIR, which can be set through the pam_tmpdir module for instance, is also honoured by being passed to the SSH agent. The SSH session management component terminates the session by killing the previously launched SSH agent by sending it aSIGTERM
.
The traditional SSH keys ~/.ssh/identity,
~/.ssh/id_rsa,
~/.ssh/id_dsa, and
~/.ssh/id_ecdsa are considered as the
default SSH session keys. Nonetheless, extra user SSH session keys can be
either located or symbolically linked into the per-user dedicated folder
~/.ssh/session-keys.d/ in the user's home
directory.
The following option may be passed to the session management module:
INFORMATION LEAKS¶
Be careful with the using thetry_first_pass
option when pam_ssh
is the first
authentication module because it will then leak information about existing
users without login keys: such users will not be asked for a specific SSH
passphrase, whereas non-existing users and existing users with login keys will
be asked for a passphrase.
FILES¶
- ~/.ssh/
- This directory is the default per-user location for all user-specific SSH configuration and SSH authentication information as expected by SSH and its friends.
- ~/.ssh/identity
- ~/.ssh/id_rsa
- ~/.ssh/id_dsa
- ~/.ssh/id_ecdsa
- Contains the traditional private key for authentication. These files contain sensitive data and should be readable by the user but not accessible by others: any traditional private key file that is accessible by others is simply ignored. While the SSH authentication component ignores the traditional private keys, the SSH session management component passes any successfully decrypted traditional key to the launched SSH agent.
- ~/.ssh/login-keys.d/
- This directory is the dedicated per-user location for files or symbolic
links to files that contains SSH private keys considered by the SSH
authentication component.
pam_ssh
ignores any private key file that is accessible by others or that possesses .disabled or .frozen as suffix. Each login key successfully decrypted is passed by the SSH session management component to the lauched SSH agent. - ~/.ssh/session-keys.d/
- This directory is the dedicated per-user location for files or symbolic
links to files that contains (extra) SSH private keys considered only by
the SSH session management component.
pam_ssh
ignores any private key file that is accessible by others or that possesses .disabled or .frozen as suffix. Each session key successfully decrypted is passed to the lauched SSH agent. - /var/log/auth.log
- Usual log file for syslog(3).
- /usr/share/pam-configs/ssh
pam_ssh
Debian package supplied authentication profile as managed by pam-auth-update(8).
SEE ALSO¶
ssh(1), ssh-agent(1), ssh-add(1), ssh-keygen(1), syslog(3), pam.conf(5), pam.d(5), pam(8), pam-auth-update(8), pam_tmpAUTHORS¶
Andrew J. Korty <ajk@iu.edu> wrotepam_ssh
.
Dag-Erling Smorgrav wrote the original
OpenPAM support code. Mark R V Murray wrote
the original version of this manual page. Jens
Peter Secher introduced the login-key concept. Refreshed for Debian by
Jerome Benoit <calculus@rezozer.net>.
pam_ssh
is currently maintained by
Wolfgang Rosenauer.May 29, 2014 | Debian |