Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

pam_ssh(8) [debian man page]

PAM_SSH(8)						    BSD System Manager's Manual 						PAM_SSH(8)

NAME

     pam_ssh -- authentication and session management with SSH private keys

DESCRIPTION

     The SSH authentication service module for PAM, pam_ssh provides functionality for two PAM categories: authentication and session management.

   SSH Authentication Module
     The SSH authentication component verifies the identity of a user by prompting the user for a passphrase and verifying that it can decrypt at
     least one of the user's SSH login keys using that passphrase.

     The following options may be passed to the authentication module:

     debug		     syslog(3) debugging information at LOG_DEBUG level.

     use_first_pass	     If the authentication module is not the first in the stack, and a previous module obtained the user's password, then
			     that password is used to decrypt the user's SSH login keys.  If this fails, then the authentication module returns
			     failure without prompting the user for a passphrase.

     try_first_pass	     Similar to the use_first_pass option, except that if the previously obtained password fails to decrypt any of the SSH
			     login keys, then the user is prompted for an SSH passphrase.

			     try_first_pass has no effect if pam_ssh is the first module on the stack, or if no previous modules obtained the
			     user's password.

     allow_blank_passphrase  Allow SSH keys with no passphrase.

     If neither use_first_pass nor try_first_pass is specified, pam_ssh will unconditionally ask for an SSH passphrase.

     In addition to the above authentication procedure, all standard SSH keys (identity, id_rsa, id_dsa) for which the obtained password matches
     will be decrypted.

   SSH Session Management Module
     The SSH session management component initiates sessions by starting an SSH agent, passing it any SSH login keys it decrypted during the
     authentication phase, and sets the environment variables accordingly.

     The SSH session management component terminates the session by killing the previously started SSH agent by sending it a SIGTERM.

     The following options may be passed to the session management module:

     debug	     syslog(3) debugging information at LOG_DEBUG level.

INFORMATION LEAKS

     Be careful with the using the try_first_pass option when pam_ssh is the first authentication module because it will then leak information
     about existing users without login keys: such users will not be asked for a specific SSH passphrase, whereas non-existing users and existing
     users with login keys will be asked for a passphrase.

FILES

     $HOME/.ssh/identity
     $HOME/.ssh/id_rsa
     $HOME/.ssh/id_dsa	       OpenSSH DSA/RSA keys decrypted by pam_ssh.
     $HOME/.ssh/login-keys.d/  Location of (possibly symbolic links to) OpenSSH DSA/RSA keys used for authentication and decrypted by pam_ssh.
     /var/log/auth.log	       Usual log file for syslog(3)

SEE ALSO

     ssh-agent(1), syslog(3), pam.conf(5), pam(8).

AUTHORS

     Andrew J. Korty <ajk@iu.edu> wrote pam_ssh.  Dag-Erling Smorgrav wrote the original OpenPAM support code.	Mark R V Murray wrote the original
     version of this manual page.  Jens Peter Secher introduced the login-key concept.

BSD
								 November 26, 2001							       BSD

Check Out this Related Man Page

SSH-ADD(1)						    BSD General Commands Manual 						SSH-ADD(1)

NAME

     ssh-add -- adds RSA or DSA identities to the authentication agent

SYNOPSIS

     ssh-add [-lLdDxX] [-t life] [file ...]
     ssh-add -s reader
     ssh-add -e reader

DESCRIPTION

     ssh-add adds RSA or DSA identities to the authentication agent, ssh-agent(1).  When run without arguments, it adds the files
     $HOME/.ssh/id_rsa, $HOME/.ssh/id_dsa and $HOME/.ssh/identity.  Alternative file names can be given on the command line.  If any file requires
     a passphrase, ssh-add asks for the passphrase from the user.  The passphrase is read from the user's tty.	ssh-add retries the last
     passphrase if multiple identity files are given.

     The authentication agent must be running and must be an ancestor of the current process for ssh-add to work.

     The options are as follows:

     -l      Lists fingerprints of all identities currently represented by the agent.

     -L      Lists public key parameters of all identities currently represented by the agent.

     -d      Instead of adding the identity, removes the identity from the agent.

     -D      Deletes all identities from the agent.

     -x      Lock the agent with a password.

     -X      Unlock the agent.

     -t life
	     Set a maximum lifetime when adding identities to an agent.  The lifetime may be specified in seconds or in a time format specified in
	     sshd(8).

     -s reader
	     Add key in smartcard reader.

     -e reader
	     Remove key in smartcard reader.

FILES

     $HOME/.ssh/identity
	     Contains the protocol version 1 RSA authentication identity of the user.

     $HOME/.ssh/id_dsa
	     Contains the protocol version 2 DSA authentication identity of the user.

     $HOME/.ssh/id_rsa
	     Contains the protocol version 2 RSA authentication identity of the user.

     Identity files should not be readable by anyone but the user.  Note that ssh-add ignores identity files if they are accessible by others.

ENVIRONMENT

     DISPLAY and SSH_ASKPASS
	     If ssh-add needs a passphrase, it will read the passphrase from the current terminal if it was run from a terminal.  If ssh-add does
	     not have a terminal associated with it but DISPLAY and SSH_ASKPASS are set, it will execute the program specified by SSH_ASKPASS and
	     open an X11 window to read the passphrase.  This is particularly useful when calling ssh-add from a .Xsession or related script.
	     (Note that on some machines it may be necessary to redirect the input from /dev/null to make this work.)

     SSH_AUTH_SOCK
	     Identifies the path of a unix-domain socket used to communicate with the agent.

DIAGNOSTICS

     Exit status is 0 on success, 1 if the specified command fails, and 2 if ssh-add is unable to contact the authentication agent.

AUTHORS

     OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
     Theo de Raadt and Dug Song removed many bugs, re-added newer features and created OpenSSH.  Markus Friedl contributed the support for SSH
     protocol versions 1.5 and 2.0.

SEE ALSO

     ssh(1), ssh-agent(1), ssh-keygen(1), sshd(8)

BSD
								September 25, 1999							       BSD
Man Page