1pam_ssh_agent_auth(8)                 PAM                pam_ssh_agent_auth(8)
2
3
4

NAME

6       pam_ssh_agent_auth - PAM module for granting permissions based on SSH
7       agent requests
8

DESCRIPTION

10       This module provides authentication via ssh-agent.  If an ssh-agent
11       listening at SSH_AUTH_SOCK can successfully authenticate that it has
12       the secret key for a public key in the specified file, authentication
13       is granted, otherwise authentication fails.
14

CONFIGURATION

16       /etc/pam.d/sudo: auth    sufficient     pam_ssh_agent_auth.so
17       file=/etc/security/authorized_keys
18       /etc/sudoers:
19           In older versions of sudo (< 1.8.5) it was necessary to set:
20            Defaults    env_keep += "SSH_AUTH_SOCK"
21
22       This configuration would permit anyone who has an SSH_AUTH_SOCK that
23       manages the private key matching a public key in
24       /etc/security/authorized_keys to execute sudo without having to enter a
25       password. Note that the ssh-agent listening to SSH_AUTH_SOCK can either
26       be local, or forwarded.
27
28       Unlike NOPASSWD, this still requires an authentication, it's just that
29       the authentication is provided by ssh-agent, and not password entry.
30

ARGUMENTS

32       file=<path to authorized_keys>
33           Specify the path to the authorized_keys file(s) you would like to
34           use for authentication. Subject to tilde and % EXPANSIONS (below)
35
36       allow_user_owned_authorized_keys_file
37           A flag which enables authorized_keys files to be owned by the
38           invoking user, instead of root. This flag is enabled automatically
39           whenever the expansions %h or ~ are used.
40
41       authorized_keys_command=<path to executable>
42           Specify an external command to run, which should take a single
43           argument, the username of the person being authenticated, and emit
44           to its stdout a file in authorized_keys format.  This is ideally
45           suited for use with sssd's sss_ssh_authorizedkeys, for
46           authenticating users via authorized_keys stored in ldap or other
47           sssd supported security service.
48
49       authorized_keys_command_user=<username>
50           Specify a user to run the authorized_keys_command as. If this
51           option is not specified, the authorized_keys_command will be run as
52           the user being authenticated.
53
54       debug
55           A flag which enables verbose logging
56
57       sudo_service_name=<service name you compiled sudo to use>
58           (when compiled with --enable-sudo-hack)
59
60           Specify the service name to use to identify the service "sudo".
61           When the PAM_SERVICE identifier matches this string, and if
62           PAM_RUSER is not set, pam_ssh_agent_auth will attempt to identify
63           the calling user from the environment variable SUDO_USER.
64
65           This defaults to "sudo".
66

EXPANSIONS

68       ~  -- same as in shells, a user's Home directory
69           Automatically enables allow_user_owned_authorized_keys_file if used
70           in the context of ~/. If used as ~user/, it would expect the file
71           to be owned by 'user', unless you explicitly set
72           allow_user_owned_authorized_keys_file
73
74       %h -- User's Home directory
75           Automatically enables allow_user_owned_authorized_keys_file
76
77       %H -- The short-hostname
78       %u -- Username
79       %f -- FQDN
80

EXAMPLES

82       in /etc/pam.d/sudo
83
84       "auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys"
85           The default .ssh/authorized_keys file in a user's home-directory
86
87       "auth sufficient pam_ssh_agent_auth.so file=%h/.ssh/authorized_keys"
88           Same as above.
89
90       "auth sufficient pam_ssh_agent_auth.so file=~fred/.ssh/authorized_keys"
91           If the home-directory of user 'fred' was /home/fred, this would
92           expand to /home/fred/.ssh/authorized_keys.  In this case, we have
93           not specified allow_user_owned_authorized_keys_file, so this file
94           must be owned by 'fred'.
95
96       "auth sufficient pam_ssh_agent_auth.so
97       file=/secure/%H/%u/authorized_keys
98       allow_user_owned_authorized_keys_file"
99           On a host named foobar.baz.com, and a user named fred, would expand
100           to /secure/foobar/fred/authorized_keys.  In this case, we specified
101           allow_user_owned_authorized_keys_file, so fred would be able to
102           manage that authorized_keys file himself.
103
104       "auth sufficient pam_ssh_agent_auth.so
105       file=/secure/%f/%u/authorized_keys"
106           On a host named foobar.baz.com, and a user named fred, would expand
107           to /secure/foobar.baz.com/fred/authorized_keys.  In this case, we
108           have not specified allow_user_owned_authorized_keys_file, so this
109           file must be owned by root.
110
111       "auth [success=3 default=ignore] pam_ssh_agent_auth.so
112       file=~/.ssh/authorized_keys debug"
113           This pam.d config format allows for more control over how pam
114           handles success and failure. In this example, we use success=3,
115           which specifies that when this module succeeds, pam should jump
116           over the next 3 auth modules and continue from there. This is
117           useful, for instance, if /etc/pam.d/common-auth is included, and
118           contains 3 "auth required" or similar module rules that we wish to
119           skip, but we wish not to skip other auth rules.
120
121           For more information, please see http://linux.die.net/man/5/pam.d
122
124        Copyright (c) 2008-2014, Jamie Beverly.
125        And is based on openssh, and the included works by Markus Friedl, Darren Tucker,
126        Todd C. Miller, Ben Lindstrom, Tim Rice, Damien Miller, and many others.
127
128        All rights reserved.
129
130        See sources for complete attributions.
131
132        Redistribution and use in source and binary forms, with or without modification, are
133        permitted provided that the following conditions are met:
134
135        1. Redistributions of source code must retain the above copyright notice, this list of
136           conditions and the following disclaimer.
137
138        2. Redistributions in binary form must reproduce the above copyright notice, this list
139           of conditions and the following disclaimer in the documentation and/or other materials
140           provided with the distribution.
141
142        THIS SOFTWARE IS PROVIDED BY Jamie Beverly ``AS IS'' AND ANY EXPRESS OR IMPLIED
143        WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
144        FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Jamie Beverly OR
145        CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
146        CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
147        SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
148        ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
149        NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
150        ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
151
152
153
154v0.10.3                           2020-04-08             pam_ssh_agent_auth(8)
Impressum