1PAM_SSH(8)                BSD System Manager's Manual               PAM_SSH(8)
2

NAME

4     pam_ssh — authentication and session management with SSH private keys
5

SYNOPSIS

7     [service-name] module-type control-flag pam_ssh [options]
8

DESCRIPTION

10     The SSH authentication service module for PAM, pam_ssh provides function‐
11     ality for two PAM categories: authentication and session management.  In
12     terms of the module-type parameter, they are the “auth” and “session”
13     features.  It also provides null functions for the remaining categories.
14
15   SSH Authentication Module
16     The SSH authentication component verifies the identity of a user by
17     prompting the user for a passphrase and verifying that it can decrypt at
18     least one of the user's SSH login (or authentication) keys using that
19     passphrase.
20
21     The user's SSH login keys must be either located or symbolically linked
22     into the per-user dedicated folder ~/.ssh/login-keys.d/ in the user's
23     home directory.
24
25     The following options may be passed to the authentication module:
26     debug   syslog(3) debugging information at LOG_DEBUG level.
27     use_first_pass
28             If the authentication module is not the first in the stack, and a
29             previous module obtained the user's password, that password is
30             used to decrypt the user's SSH login keys.  If this fails, then
31             the authentication module returns failure without prompting the
32             user for a passphrase.
33     try_first_pass
34             Similar to the use_first_pass option, except that if the previ‐
35             ously obtained password fails to decrypt any of the SSH login
36             keys, then the user is prompted for an SSH passphrase.
37     nullok  Allow SSH keys with no passphrase.
38
39     If neither use_first_pass nor try_first_pass is specified, pam_ssh will
40     unconditionally ask for an SSH passphrase.
41
42     The now deprecated name allow_blank_passphrase for nullok is kept for
43     compatibility reasons.
44
45   SSH Session Management Module
46     The SSH session management component initiates sessions by launching an
47     SSH agent, passing it any user's SSH login keys successfully decrypted
48     during the authentication phase and any additional user SSH session keys
49     successfully decrypted, and sets dedicated environment variables accord‐
50     ingly; the environment variable TMPDIR, which can be set through the
51     pam_tmpdir module for instance, is also honoured by being passed to the
52     SSH agent.
53
54     The SSH session management component terminates the session by killing
55     the previously launched SSH agent by sending it a SIGTERM.
56
57     The traditional SSH keys ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa,
58     and ~/.ssh/id_ed25519 are considered as the default SSH session keys.
59     Nonetheless, extra user SSH session keys can be either located or symbol‐
60     ically linked into the per-user dedicated folder ~/.ssh/session-keys.d/
61     in the user's home directory.
62
63     Provided that they have been successfully decrypted, the SSH session man‐
64     agement passes to the launched SSH agent first the session SSH keys in
65     lexical order, second the login SSH keys in lexical order, and finally
66     the traditional SSH keys in the reverse order cited above.  Since the SSH
67     agent keeps in its memory for each passed key its first position (but its
68     last comment), each SSH key rank can be easily overwritten with an appro‐
69     priate symbolic link placed in ~/.ssh/session-keys.d/ or
70     ~/.ssh/login-keys.d/; this is especially true for the traditional SSH
71     keys.  The involved lexical order is performed against the SSH key file
72     basenames (according to the C/POSIX locale character collation rules).
73     Because actually their basenames are passed as comments, their effective
74     order might be easily checked with an appropriate SSH agent helper as
75     ssh-add(3).  As final remark, keep in mind that the SSH agent may place
76     itself SSH keys with protocol 1 before SSH keys with protocol 2.
77
78     The following option may be passed to the session management module:
79     debug   syslog(3) debugging information at LOG_DEBUG level.
80

INFORMATION LEAKS

82     Be careful with the using the try_first_pass option when pam_ssh is the
83     first authentication module because it will then leak information about
84     existing users without login keys: such users will not be asked for a
85     specific SSH passphrase, whereas non-existing users and existing users
86     with login keys will be asked for a passphrase.
87

FILES

89     ~/.ssh/
90             This directory is the default per-user location for all user-spe‐
91             cific SSH configuration and SSH authentication information as
92             expected by SSH and its friends.
93
94     ~/.ssh/id_rsa
95     ~/.ssh/id_dsa
96     ~/.ssh/id_ecdsa
97     ~/.ssh/id_ed25519
98             Contains the traditional private key for authentication.  These
99             files contain sensitive data and should be readable by the user
100             but not accessible by others: any traditional private key file
101             that is accessible by others is simply ignored.  While the SSH
102             authentication component ignores the traditional private keys,
103             the SSH session management component passes any successfully
104             decrypted traditional key to the launched SSH agent.
105
106     ~/.ssh/login-keys.d/
107             This directory is the dedicated per-user location for files or
108             symbolic links to files that contains SSH private keys considered
109             by the SSH authentication component.  pam_ssh ignores any private
110             key file that is accessible by others or that possesses .disabled
111             or .frozen as suffix.  Each login key successfully decrypted is
112             passed by the SSH session management component to the launched
113             SSH agent.
114
115     ~/.ssh/session-keys.d/
116             This directory is the dedicated per-user location for files or
117             symbolic links to files that contains (extra) SSH private keys
118             considered only by the SSH session management component.  pam_ssh
119             ignores any private key file that is accessible by others or that
120             possesses .disabled or .frozen as suffix.  Each session key suc‐
121             cessfully decrypted is passed to the lauched SSH agent.
122
123     /run/pam_ssh/<user>*
124             ssh-agent environment information. The files are owned by the
125             superuser but readable by the users. The location is Fedora spe‐
126             cific, in the original package these files are in
127             $HOME/.ssh/agent-*
128

SEE ALSO

130     ssh(1), ssh-agent(1), ssh-add(1), ssh-keygen(1), syslog(3), pam.conf(5),
131     pam.d(5), pam(8)
132

AUTHORS

134     Andrew J. Korty <ajk@iu.edu> wrote pam_ssh.  Dag-Erling Smorgrav wrote
135     the original OpenPAM support code.  Mark R V Murray wrote the original
136     version of this manual page.  Jens Peter Secher introduced the login-key
137     concept.  Refreshed for Debian by Jerome Benoit <calculus@rezozer.net>.
138     pam_ssh is currently maintained by Wolfgang Rosenauer.
139
140                               January 14, 2019
Impressum