|PAM_SSH(8)||FreeBSD System Manager's Manual||PAM_SSH(8)|
NAMEpam_ssh — authentication and session management with SSH private keys
SYNOPSIS[ service-name] module-type control-flag pam_ssh [ options]
DESCRIPTIONThe SSH authentication service module for PAM, pam_ssh provides functionality for two PAM categories: authentication and session management. In terms of the module-type parameter, they are the “
auth” and “
SSH Authentication ModuleThe SSH authentication component provides a function to verify the identity of a user ( pam_sm_authenticate()), by prompting the user for a passphrase and verifying that it can decrypt the target user's SSH key using that passphrase.
The following options may be passed to the authentication module:
- If the authentication module is not the first in the stack, and a previous module obtained the user's password, that password is used to authenticate the user. If this fails, the authentication module returns failure without prompting the user for a password. This option has no effect if the authentication module is the first in the stack, or if no previous modules obtained the user's password.
- This option is similar to the use_first_pass option, except that if the previously obtained password fails, the user is prompted for another password.
- Normally, keys with no passphrase are ignored for authentication purposes. If this option is set, keys with no passphrase will be taken into consideration, allowing the user to log in with a blank password.
SSH Session Management ModuleThe SSH session management component provides functions to initiate ( pam_sm_open_session()) and terminate ( pam_sm_close_session()) sessions. The pam_sm_open_session() function starts an SSH agent, passing it any private keys it decrypted during the authentication phase, and sets the environment variables the agent specifies. The pam_sm_close_session() function kills the previously started SSH agent by sending it a SIGTERM.
The following options may be passed to the session management module:
- Start an agent even if no keys were decrypted during the authentication phase.
- SSH1 RSA key
- SSH2 RSA key
- SSH2 DSA key
- SSH2 ECDSA key
AUTHORSThe pam_ssh module was originally written by <firstname.lastname@example.org>. The current implementation was developed for the FreeBSD Project by ThinkSec AS and NAI Labs, the Security Research Division of Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA CHATS research program. This manual page was written by <markm@FreeBSD.org>.
|October 7, 2011||FreeBSD|