Manual page: pam_ssh(8)
PAM_SSH(8) FreeBSD System Manager's Manual PAM_SSH(8)
NAME
pam_ssh -- authentication and session management with SSH private keys
SYNOPSIS
[service-name] module-type control-flag pam_ssh [options]
DESCRIPTION
The SSH authentication service module for PAM, pam_ssh provides function-
ality for two PAM categories: authentication and session management. In
terms of the module-type parameter, they are the ``auth'' and ``session''
features.
SSH Authentication Module
The SSH authentication component provides a function to verify the iden-
tity of a user (pam_sm_authenticate()), by prompting the user for a
passphrase and verifying that it can decrypt the target user's SSH key
using that passphrase.
The following options may be passed to the authentication module:
use_first_pass If the authentication module is not the first in the
stack, and a previous module obtained the user's pass-
word, that password is used to authenticate the user. If
this fails, the authentication module returns failure
without prompting the user for a password. This option
has no effect if the authentication module is the first
in the stack, or if no previous modules obtained the
user's password.
try_first_pass This option is similar to the use_first_pass option,
except that if the previously obtained password fails,
the user is prompted for another password.
nullok Normally, keys with no passphrase are ignored for authen-
tication purposes. If this option is set, keys with no
passphrase will be taken into consideration, allowing the
user to log in with a blank password.
SSH Session Management Module
The SSH session management component provides functions to initiate
(pam_sm_open_session()) and terminate (pam_sm_close_session()) sessions.
The pam_sm_open_session() function starts an SSH agent, passing it any
private keys it decrypted during the authentication phase, and sets the
environment variables the agent specifies. The pam_sm_close_session()
function kills the previously started SSH agent by sending it a SIGTERM.
The following options may be passed to the session management module:
want_agent Start an agent even if no keys were decrypted during the
authentication phase.
FILES
$HOME/.ssh/identity SSH1 RSA key
$HOME/.ssh/id_rsa SSH2 RSA key
$HOME/.ssh/id_dsa SSH2 DSA key
SEE ALSO
ssh-agent(1), pam.conf(5), pam(8)
AUTHORS
The pam_ssh module was originally written by Andrew J. Korty
<ajk@iu.edu>. The current implementation was developed for the FreeBSD
Project by ThinkSec AS and NAI Labs, the Security Research Division of
Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
(``CBOSS''), as part of the DARPA CHATS research program. This manual
page was written by Mark R V Murray <markm@FreeBSD.org>.
FreeBSD 7.0 November 26, 2001 FreeBSD 7.0