Provided by: libpam-sshauth_0.4.1-2_amd64 bug

NAME

       pam_sshauth - PAM module which authenticates against an ssh server

SYNOPSIS

       pam_sshauth.so [debug] [nostrict] [shm_askpass] [authtries=tries] [try_first_pass]
                      [host=host] [port=port]

DESCRIPTION

       pam_sshauth is a PAM module that can be used to authenticate a user based on whether they
       can ssh into an external machine.  It is written using sshlib.

       The following PAM environment list variables are set by the module: PAM_SSHAUTH_HOST and
       PAM_SSHAUTH_PORT.  Both of these reflect what was passed on the PAM command line to the
       module.

       The module will attempt to initiate an SSH session with the host specified.  It will
       support public-key, simple password, and keyboard-interactive authentication methods.
       Note that, in order for keyboard-interactive methods to work, the SSH server must have
       enabled ChallengeResponseAuthentication in it's configuration.  This would be needed if
       you'd like the pam_sshauth module to handle password expiry messages when talking to the
       SSH server.

OPTIONS

       debug
           Log debug information to syslog.  The LOG_AUTH facility is used.

       nostrict
           If contacting a host for which we don't have an entry in /etc/ssh/known_hosts, ask,
           via the pam prompts, if you'd like to trust this host.  The default will be to fail
           the authentication.

       shm_askpass
           Properly handle interaction with the ASKPASS helper shm_askpass to allow you to spawn
           ssh sockets.

       host=host
           Specifies the host we're to authenticate with.

       port=port
           Specifies the port we're to contact the remote ssh server on (if not specified, it
           defaults to 22).

       authtries=num
           Specifies the number of times we will try to authenticate.  Defaults to 3.  Note that
           this is only the number of times pam_sshauth will try.  If the SSH server has a
           smaller number specified via MaxAuthTries, pam_sshauth will not override that.

       try_first_pass
           Use the authentication token previously obtained by another module in the pam stack.
           If the token cannot be obtained, the pam_sshauth will prompt for a password.

MODULE TYPES PROVIDED

       Only the auth module type is provided.

RETURN VALUES

       PAM_SUCCESS
           The user authenticated successfully.

       PAM_AUTH_ERR
           The user did not authenticate successfully.

       PAM_SYSTEM_ERR
           A system error occurred in establishing the ssh connection to the host specified.
           Check the syslog for details.

EXAMPLES

       For an authentication line:

                   auth required pam_sshauth.so debug nostrict host=192.168.0.254 port=22

SEE ALSO

       pam.conf(5), pam.d(5), pam(7)

FILES

       /etc/ssh/ssh_known_hosts
           Servers to be authenticated must have an entry present in this file. The format of
           this file is documented in the sshd(8) man page.

AUTHOR

       pam_sshauth was written by Scott Balneaves <sbalneav@ltsp.org>.

                                            2015-07-02                             PAM_SSHAUTH(8)