logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

pam_ssh — authentication and session management with SSH private keys

Contents

Authors

       Andrew J. Korty <ajk@iu.edu> wrote pam_ssh.  Dag-Erling Smorgrav wrote the original OpenPAM support code.
       Mark  R V Murray wrote the original version of this manual page.  Jens Peter Secher introduced the login-
       key concept.  Refreshed  for  Debian  by  Jerome  Benoit  <calculus@rezozer.net>.  pam_ssh  is  currently
       maintained by Wolfgang Rosenauer.

                                                January 14, 2019                                      PAM_SSH(8)

Description

       The  SSH  authentication  service  module for PAM, pam_ssh provides functionality for two PAM categories:
       authentication and session management.  In terms of the module-type parameter, they are  the  “auth”  and
       “session” features.  It also provides null functions for the remaining categories.

   SSHAuthenticationModule
       The  SSH  authentication component verifies the identity of a user by prompting the user for a passphrase
       and verifying that it can decrypt at least one of the user's SSH login  (or  authentication)  keys  using
       that passphrase.

       The  user's  SSH  login  keys  must  be either located or symbolically linked into the per-user dedicated
       folder ~/.ssh/login-keys.d/ in the user's home directory.

       The following options may be passed to the authentication module:
       debugsyslog(3) debugging information at LOG_DEBUG level.
       use_first_pass
               If the authentication module is not the first in the stack, and a previous  module  obtained  the
               user's password, that password is used to decrypt the user's SSH login keys.  If this fails, then
               the authentication module returns failure without prompting the user for a passphrase.
       try_first_pass
               Similar  to  the  use_first_pass option, except that if the previously obtained password fails to
               decrypt any of the SSH login keys, then the user is prompted for an SSH passphrase.
       nullok  Allow SSH keys with no passphrase.

       If neither use_first_pass nor try_first_pass is specified, pam_ssh will unconditionally ask  for  an  SSH
       passphrase.

       The now deprecated name allow_blank_passphrase for nullok is kept for compatibility reasons.

   SSHSessionManagementModule
       The  SSH session management component initiates sessions by launching an SSH agent, passing it any user's
       SSH login keys successfully decrypted during the authentication phase and any additional user SSH session
       keys successfully decrypted, and  sets  dedicated  environment  variables  accordingly;  the  environment
       variable  TMPDIR,  which can be set through the pam_tmpdir module for instance, is also honoured by being
       passed to the SSH agent.

       The SSH session management component terminates the session by killing the previously launched SSH  agent
       by sending it a SIGTERM.

       The  traditional  SSH  keys  ~/.ssh/id_rsa,  ~/.ssh/id_dsa,  ~/.ssh/id_ecdsa,  and  ~/.ssh/id_ed25519 are
       considered as the default SSH session keys.  Nonetheless, extra user  SSH  session  keys  can  be  either
       located  or  symbolically  linked into the per-user dedicated folder ~/.ssh/session-keys.d/ in the user's
       home directory.

       Provided that they have been successfully decrypted, the SSH session management passes  to  the  launched
       SSH  agent  first  the session SSH keys in lexical order, second the login SSH keys in lexical order, and
       finally the traditional SSH keys in the reverse order cited above.  Since the  SSH  agent  keeps  in  its
       memory  for  each  passed  key its first position (but its last comment), each SSH key rank can be easily
       overwritten with an appropriate symbolic link placed in ~/.ssh/session-keys.d/  or  ~/.ssh/login-keys.d/;
       this  is  especially  true for the traditional SSH keys.  The involved lexical order is performed against
       the SSH key file basenames (according to the C/POSIX locale character collation rules).  Because actually
       their basenames are passed as comments, their effective order might be easily checked with an appropriate
       SSH agent helper as ssh-add(3).  As final remark, keep in mind that the SSH agent may  place  itself  SSH
       keys with protocol 1 before SSH keys with protocol 2.

       The following option may be passed to the session management module:
       debugsyslog(3) debugging information at LOG_DEBUG level.

Files

~/.ssh/
               This directory is the default per-user location for all user-specific SSH configuration  and  SSH
               authentication information as expected by SSH and its friends.

       ~/.ssh/id_rsa~/.ssh/id_dsa~/.ssh/id_ecdsa~/.ssh/id_ed25519
               Contains  the traditional private key for authentication.  These files contain sensitive data and
               should be readable by the user but not accessible by others: any  traditional  private  key  file
               that  is  accessible by others is simply ignored.  While the SSH authentication component ignores
               the traditional private keys, the  SSH  session  management  component  passes  any  successfully
               decrypted traditional key to the launched SSH agent.

       ~/.ssh/login-keys.d/
               This  directory  is  the  dedicated  per-user  location for files or symbolic links to files that
               contains SSH private keys considered by the SSH authentication component.   pam_ssh  ignores  any
               private  key  file that is accessible by others or that possesses .disabled or .frozen as suffix.
               Each login key successfully decrypted is passed by the SSH session management  component  to  the
               launched SSH agent.

       ~/.ssh/session-keys.d/
               This  directory  is  the  dedicated  per-user  location for files or symbolic links to files that
               contains (extra) SSH private keys considered  only  by  the  SSH  session  management  component.
               pam_ssh  ignores any private key file that is accessible by others or that possesses .disabled or
               .frozen as suffix.  Each session key successfully decrypted is passed to the launched SSH agent.

       /var/log/auth.log
               Usual log file for syslog(3).

       /usr/share/pam-configs/sshpam_ssh Debian package supplied authentication profile as managed by pam-auth-update(8).

Information Leaks

       Be  careful  with  the  using  the  try_first_pass option when pam_ssh is the first authentication module
       because it will then leak information about existing users without login keys: such  users  will  not  be
       asked  for  a specific SSH passphrase, whereas non-existing users and existing users with login keys will
       be asked for a passphrase.

Name

       pam_ssh — authentication and session management with SSH private keys

See Also

ssh(1),   ssh-agent(1),   ssh-add(1),   ssh-keygen(1),   syslog(3),   pam.conf(5),   pam.d(5),    pam(8),
       pam-auth-update(8), pam_tmp

Synopsis

       [service-name] module-typecontrol-flagpam_ssh [options]

See Also

Keys Cafe Rgb Keyboard
Keys Cafe Rgb Keyboard PNG Icons
Session
Session PNG Icons
User
User PNG Icons
Man Pages
mongoc_authentication Man Pages
Login
Login PNG Icons
MCP
Agent Mcp
Man Pages
ifmib Man Pages
Man Pages
module Man Pages
First
First PNG Icons
← View System admin Category← Back to Network service daemons🙏  Credits & Acknowledgments