1pam_ssh_agent_auth(8) PAM pam_ssh_agent_auth(8)
2
3
4
6 This module provides authentication via ssh-agent. If an ssh-agent
7 listening at SSH_AUTH_SOCK can successfully authenticate that it has
8 the secret key for a public key in the specified file, authentication
9 is granted, otherwise authentication fails.
10
12 /etc/pam.d/sudo: auth sufficient pam_ssh_agent_auth.so
13 file=/etc/security/authorized_keys
14 /etc/sudoers:
15 Defaults env_keep += "SSH_AUTH_SOCK"
16
17 This configuration would permit anyone who has an SSH_AUTH_SOCK that
18 manages the private key matching a public key in
19 /etc/security/authorized_keys to execute sudo without having to enter a
20 password. Note that the ssh-agent listening to SSH_AUTH_SOCK can either
21 be local, or forwarded.
22
23 Unlike NOPASSWD, this still requires an authentication, it's just that
24 the authentication is provided by ssh-agent, and not password entry.
25
27 file=<path to authorized_keys>
28 Specify the path to the authorized_keys file(s) you would like to
29 use for authentication. Subject to tilde and % EXPANSIONS (below)
30
31 allow_user_owned_authorized_keys_file
32 A flag which enables authorized_keys files to be owned by the
33 invoking user, instead of root. This flag is enabled automatically
34 whenever the expansions %h or ~ are used.
35
36 debug
37 A flag which enables verbose logging
38
39 sudo_service_name=<service name you compiled sudo to use>
40 (when compiled with --enable-sudo-hack)
41
42 Specify the service name to use to identify the service "sudo".
43 When the PAM_SERVICE identifier matches this string, and if
44 PAM_RUSER is not set, pam_ssh_agent_auth will attempt to identify
45 the calling user from the environment variable SUDO_USER.
46
47 This defaults to "sudo".
48
50 ~ -- same as in shells, a user's Home directory
51 Automatically enables allow_user_owned_authorized_keys_file if used
52 in the context of ~/. If used as ~user/, it would expect the file
53 to be owned by 'user', unless you explicitely set
54 allow_user_owned_authorized_keys_file
55
56 %h -- User's Home directory
57 Automatically enables allow_user_owned_authorized_keys_file
58
59 %H -- The short-hostname
60 %u -- Username
61 %f -- FQDN
62
64 in /etc/pam.d/sudo
65
66 "auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys"
67 The default .ssh/authorized_keys file in a user's home-directory
68
69 "auth sufficient pam_ssh_agent_auth.so file=%h/.ssh/authorized_keys"
70 Same as above.
71
72 "auth sufficient pam_ssh_agent_auth.so file=~fred/.ssh/authorized_keys"
73 If the home-directory of user 'fred' was /home/fred, this would
74 expand to /home/fred/.ssh/authorized_keys. In this case, we have
75 not specified allow_user_owned_authorized_keys_file, so this file
76 must be owned by 'fred'.
77
78 "auth sufficient pam_ssh_agent_auth.so
79 file=/secure/%H/%u/authorized_keys
80 allow_user_owned_authorized_keys_file"
81 On a host named foobar.baz.com, and a user named fred, would expand
82 to /secure/foobar/fred/authorized_keys. In this case, we specified
83 allow_user_owned_authorized_keys_file, so fred would be able to
84 manage that authorized_keys file himself.
85
86 "auth sufficient pam_ssh_agent_auth.so
87 file=/secure/%f/%u/authorized_keys"
88 On a host named foobar.baz.com, and a user named fred, would expand
89 to /secure/foobar.baz.com/fred/authorized_keys. In this case, we
90 have not specified allow_user_owned_authorized_keys_file, so this
91 file must be owned by root.
92
93
94
95v0.8 2009-08-09 pam_ssh_agent_auth(8)