1pam_ssh_agent_auth(8) PAM pam_ssh_agent_auth(8)
2
3
4
6 pam_ssh_agent_auth - PAM module for granting permissions based on SSH
7 agent requests
8
10 This module provides authentication via ssh-agent. If an ssh-agent
11 listening at SSH_AUTH_SOCK can successfully authenticate that it has
12 the secret key for a public key in the specified file, authentication
13 is granted, otherwise authentication fails.
14
16 /etc/pam.d/sudo: auth sufficient pam_ssh_agent_auth.so
17 file=/etc/security/authorized_keys
18 /etc/sudoers:
19 In older versions of sudo (< 1.8.5) it was necessary to set:
20 Defaults env_keep += "SSH_AUTH_SOCK"
21
22 This configuration would permit anyone who has an SSH_AUTH_SOCK that
23 manages the private key matching a public key in
24 /etc/security/authorized_keys to execute sudo without having to enter a
25 password. Note that the ssh-agent listening to SSH_AUTH_SOCK can either
26 be local, or forwarded.
27
28 Unlike NOPASSWD, this still requires an authentication, it's just that
29 the authentication is provided by ssh-agent, and not password entry.
30
32 file=<path to authorized_keys>
33 Specify the path to the authorized_keys file(s) you would like to
34 use for authentication. Subject to tilde and % EXPANSIONS (below)
35
36 allow_user_owned_authorized_keys_file
37 A flag which enables authorized_keys files to be owned by the
38 invoking user, instead of root. This flag is enabled automatically
39 whenever the expansions %h or ~ are used.
40
41 authorized_keys_command=<path to executable>
42 Specify an external command to run, which should take a single
43 argument, the username of the person being authenticated, and emit
44 to its stdout a file in authorized_keys format. This is ideally
45 suited for use with sssd's sss_ssh_authorizedkeys, for
46 authenticating users via authorized_keys stored in ldap or other
47 sssd supported security service.
48
49 authorized_keys_command_user=<username>
50 Specify a user to run the authorized_keys_command as. If this
51 option is not specified, the authorized_keys_command will be run as
52 the user being authenticated.
53
54 debug
55 A flag which enables verbose logging
56
57 sudo_service_name=<service name you compiled sudo to use>
58 (when compiled with --enable-sudo-hack)
59
60 Specify the service name to use to identify the service "sudo".
61 When the PAM_SERVICE identifier matches this string, and if
62 PAM_RUSER is not set, pam_ssh_agent_auth will attempt to identify
63 the calling user from the environment variable SUDO_USER.
64
65 This defaults to "sudo".
66
68 ~ -- same as in shells, a user's Home directory
69 Automatically enables allow_user_owned_authorized_keys_file if used
70 in the context of ~/. If used as ~user/, it would expect the file
71 to be owned by 'user', unless you explicitly set
72 allow_user_owned_authorized_keys_file
73
74 %h -- User's Home directory
75 Automatically enables allow_user_owned_authorized_keys_file
76
77 %H -- The short-hostname
78 %u -- Username
79 %f -- FQDN
80
82 in /etc/pam.d/sudo
83
84 "auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys"
85 The default .ssh/authorized_keys file in a user's home-directory
86
87 "auth sufficient pam_ssh_agent_auth.so file=%h/.ssh/authorized_keys"
88 Same as above.
89
90 "auth sufficient pam_ssh_agent_auth.so file=~fred/.ssh/authorized_keys"
91 If the home-directory of user 'fred' was /home/fred, this would
92 expand to /home/fred/.ssh/authorized_keys. In this case, we have
93 not specified allow_user_owned_authorized_keys_file, so this file
94 must be owned by 'fred'.
95
96 "auth sufficient pam_ssh_agent_auth.so
97 file=/secure/%H/%u/authorized_keys
98 allow_user_owned_authorized_keys_file"
99 On a host named foobar.baz.com, and a user named fred, would expand
100 to /secure/foobar/fred/authorized_keys. In this case, we specified
101 allow_user_owned_authorized_keys_file, so fred would be able to
102 manage that authorized_keys file himself.
103
104 "auth sufficient pam_ssh_agent_auth.so
105 file=/secure/%f/%u/authorized_keys"
106 On a host named foobar.baz.com, and a user named fred, would expand
107 to /secure/foobar.baz.com/fred/authorized_keys. In this case, we
108 have not specified allow_user_owned_authorized_keys_file, so this
109 file must be owned by root.
110
111 "auth [success=3 default=ignore] pam_ssh_agent_auth.so
112 file=~/.ssh/authorized_keys debug"
113 This pam.d config format allows for more control over how pam
114 handles success and failure. In this example, we use success=3,
115 which specifies that when this module succeeds, pam should jump
116 over the next 3 auth modules and continue from there. This is
117 useful, for instance, if /etc/pam.d/common-auth is included, and
118 contains 3 "auth required" or similar module rules that we wish to
119 skip, but we wish not to skip other auth rules.
120
121 For more information, please see http://linux.die.net/man/5/pam.d
122
124 Copyright (c) 2008-2014, Jamie Beverly.
125 And is based on openssh, and the included works by Markus Friedl, Darren Tucker,
126 Todd C. Miller, Ben Lindstrom, Tim Rice, Damien Miller, and many others.
127
128 All rights reserved.
129
130 See sources for complete attributions.
131
132 Redistribution and use in source and binary forms, with or without modification, are
133 permitted provided that the following conditions are met:
134
135 1. Redistributions of source code must retain the above copyright notice, this list of
136 conditions and the following disclaimer.
137
138 2. Redistributions in binary form must reproduce the above copyright notice, this list
139 of conditions and the following disclaimer in the documentation and/or other materials
140 provided with the distribution.
141
142 THIS SOFTWARE IS PROVIDED BY Jamie Beverly ``AS IS'' AND ANY EXPRESS OR IMPLIED
143 WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
144 FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Jamie Beverly OR
145 CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
146 CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
147 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
148 ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
149 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
150 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
151
152
153
154v0.10.3 2020-04-08 pam_ssh_agent_auth(8)