.\" -*- mode: troff; coding: utf-8 -*-
.\" Automatically generated by Pod::Man 5.01 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
.ie n \{\
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\" ========================================================================
.\"
.IX Title "pam_ssh_agent_auth 8"
.TH pam_ssh_agent_auth 8 2024-04-16 v0.10.3 PAM
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH NAME
pam_ssh_agent_auth \- PAM module for granting permissions based on SSH agent requests
.SH DESCRIPTION
.IX Header "DESCRIPTION"
This module provides authentication via ssh-agent.  If an ssh-agent listening at SSH_AUTH_SOCK can successfully authenticate that it has the secret key for a public key in the specified file, authentication is granted, otherwise authentication fails.
.SH CONFIGURATION
.IX Header "CONFIGURATION"
.IP "/etc/pam.d/sudo: auth	sufficient	pam_ssh_agent_auth.so file=/etc/security/authorized_keys" 4
.IX Item "/etc/pam.d/sudo: auth sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys"
.PD 0
.IP /etc/sudoers: 4
.IX Item "/etc/sudoers:"
.PD
In older versions of sudo (< 1.8.5) it was necessary to set:
 Defaults    env_keep += "SSH_AUTH_SOCK"
.PP
This configuration would permit anyone who has an SSH_AUTH_SOCK that manages the private key matching a public key in /etc/security/authorized_keys to execute sudo without having to enter a password. Note that the ssh-agent listening to SSH_AUTH_SOCK can either be local, or forwarded.
.PP
Unlike NOPASSWD, this still requires an authentication, it's just that the authentication is provided by ssh-agent, and not password entry.
.SH ARGUMENTS
.IX Header "ARGUMENTS"
.IP "file=<path to authorized_keys>" 4
.IX Item "file=<path to authorized_keys>"
Specify the path to the authorized_keys file(s) you would like to use for authentication. Subject to tilde and % EXPANSIONS (below)
.IP allow_user_owned_authorized_keys_file 4
.IX Item "allow_user_owned_authorized_keys_file"
A flag which enables authorized_keys files to be owned by the invoking user, instead of root. This flag is enabled automatically whenever
the expansions \f(CW%h\fR or ~ are used.
.IP "authorized_keys_command=<path to executable>" 4
.IX Item "authorized_keys_command=<path to executable>"
Specify an external command to run, which should take a single argument, the username of the person being authenticated, and emit to its stdout a file in authorized_keys format.
This is ideally suited for use with sssd's sss_ssh_authorizedkeys, for authenticating users via authorized_keys stored in ldap or other sssd supported security service.
.IP authorized_keys_command_user=<username> 4
.IX Item "authorized_keys_command_user=<username>"
Specify a user to run the authorized_keys_command as. If this option is not specified, the authorized_keys_command will be run as the user being authenticated.
.IP debug 4
.IX Item "debug"
A flag which enables verbose logging
.IP "sudo_service_name=<service name you compiled sudo to use>" 4
.IX Item "sudo_service_name=<service name you compiled sudo to use>"
(when compiled with \-\-enable\-sudo\-hack)
.Sp
Specify the service name to use to identify the service "sudo". When the PAM_SERVICE identifier matches this 
string, and if PAM_RUSER is not set, pam_ssh_agent_auth will attempt to identify the calling user from the 
environment variable SUDO_USER.
.Sp
This defaults to "sudo".
.SH EXPANSIONS
.IX Header "EXPANSIONS"
.IP "~  \-\- same as in shells, a user's Home directory" 4
.IX Item "~ -- same as in shells, a user's Home directory"
Automatically enables allow_user_owned_authorized_keys_file if used in the context of ~/. If used as ~user/, it would expect the file to be owned by 'user', unless you explicitly set allow_user_owned_authorized_keys_file
.ie n .IP "%h \-\- User's Home directory" 4
.el .IP "\f(CW%h\fR \-\- User's Home directory" 4
.IX Item "%h -- User's Home directory"
Automatically enables allow_user_owned_authorized_keys_file
.ie n .IP "%H \-\- The short-hostname" 4
.el .IP "\f(CW%H\fR \-\- The short-hostname" 4
.IX Item "%H -- The short-hostname"
.PD 0
.ie n .IP "%u \-\- Username" 4
.el .IP "\f(CW%u\fR \-\- Username" 4
.IX Item "%u -- Username"
.ie n .IP "%f \-\- FQDN" 4
.el .IP "\f(CW%f\fR \-\- FQDN" 4
.IX Item "%f -- FQDN"
.PD
.SH EXAMPLES
.IX Header "EXAMPLES"
in /etc/pam.d/sudo
.ie n .IP """auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys""" 4
.el .IP "\f(CWauth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys\fR" 4
.IX Item "auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys"
The default .ssh/authorized_keys file in a user's home-directory
.ie n .IP """auth sufficient pam_ssh_agent_auth.so file=%h/.ssh/authorized_keys""" 4
.el .IP "\f(CWauth sufficient pam_ssh_agent_auth.so file=%h/.ssh/authorized_keys\fR" 4
.IX Item "auth sufficient pam_ssh_agent_auth.so file=%h/.ssh/authorized_keys"
Same as above.
.ie n .IP """auth sufficient pam_ssh_agent_auth.so file=~fred/.ssh/authorized_keys""" 4
.el .IP "\f(CWauth sufficient pam_ssh_agent_auth.so file=~fred/.ssh/authorized_keys\fR" 4
.IX Item "auth sufficient pam_ssh_agent_auth.so file=~fred/.ssh/authorized_keys"
If the home-directory of user 'fred' was /home/fred, this would expand to /home/fred/.ssh/authorized_keys.
In this case, we have not specified allow_user_owned_authorized_keys_file, 
so this file must be owned by 'fred'.
.ie n .IP """auth sufficient pam_ssh_agent_auth.so file=/secure/%H/%u/authorized_keys allow_user_owned_authorized_keys_file""" 4
.el .IP "\f(CWauth sufficient pam_ssh_agent_auth.so file=/secure/%H/%u/authorized_keys allow_user_owned_authorized_keys_file\fR" 4
.IX Item "auth sufficient pam_ssh_agent_auth.so file=/secure/%H/%u/authorized_keys allow_user_owned_authorized_keys_file"
On a host named foobar.baz.com, and a user named fred,
would expand to /secure/foobar/fred/authorized_keys.
In this case, we specified allow_user_owned_authorized_keys_file, 
so fred would be able to manage that authorized_keys file himself.
.ie n .IP """auth sufficient pam_ssh_agent_auth.so file=/secure/%f/%u/authorized_keys""" 4
.el .IP "\f(CWauth sufficient pam_ssh_agent_auth.so file=/secure/%f/%u/authorized_keys\fR" 4
.IX Item "auth sufficient pam_ssh_agent_auth.so file=/secure/%f/%u/authorized_keys"
On a host named foobar.baz.com, and a user named fred, 
would expand to /secure/foobar.baz.com/fred/authorized_keys.
In this case, we have not specified allow_user_owned_authorized_keys_file, 
so this file must be owned by root.
.ie n .IP """auth [success=3 default=ignore] pam_ssh_agent_auth.so file=~/.ssh/authorized_keys debug""" 4
.el .IP "\f(CWauth [success=3 default=ignore] pam_ssh_agent_auth.so file=~/.ssh/authorized_keys debug\fR" 4
.IX Item "auth [success=3 default=ignore] pam_ssh_agent_auth.so file=~/.ssh/authorized_keys debug"
This pam.d config format allows for more control over how pam handles success and failure. In this example,
we use success=3, which specifies that when this module succeeds, pam should jump over the next 3 auth modules
and continue from there. This is useful, for instance, if /etc/pam.d/common\-auth is included, and contains
3 "auth required" or similar module rules that we wish to skip, but we wish not to skip other auth rules.
.Sp
For more information, please see http://linux.die.net/man/5/pam.d
.SH COPYRIGHT
.IX Header "COPYRIGHT"
.Vb 3
\& Copyright (c) 2008\-2014, Jamie Beverly.
\& And is based on openssh, and the included works by Markus Friedl, Darren Tucker,
\& Todd C. Miller, Ben Lindstrom, Tim Rice, Damien Miller, and many others.
\&
\& All rights reserved.
\&
\& See sources for complete attributions.
\& 
\& Redistribution and use in source and binary forms, with or without modification, are
\& permitted provided that the following conditions are met:
\&
\& 1. Redistributions of source code must retain the above copyright notice, this list of
\&    conditions and the following disclaimer.
\&
\& 2. Redistributions in binary form must reproduce the above copyright notice, this list
\&    of conditions and the following disclaimer in the documentation and/or other materials
\&    provided with the distribution.
\&
\& THIS SOFTWARE IS PROVIDED BY Jamie Beverly \`\`AS IS\*(Aq\*(Aq AND ANY EXPRESS OR IMPLIED
\& WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
\& FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Jamie Beverly OR
\& CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
\& CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
\& SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
\& ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
\& NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
\& ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.Ve