Provided by: libpam-ssh_1.91.0-9_i386 bug


     pam_ssh - authentication and session management with SSH private keys


     [service-name] module-type control-flag pam_ssh [options]


     The SSH authentication service module for PAM, pam_ssh provides
     functionality for two PAM categories: authentication and session
     management.  In terms of the module-type parameter, they are the “auth”
     and “session” features.  It also provides null functions for the
     remaining categories.

   SSH Authentication Module
     The SSH authentication component provides a function to verify the
     identity of a user (pam_sm_authenticate()), by prompting the user for a
     passphrase and verifying that it can decrypt the target user’s SSH key
     using that passphrase.

     The following options may be passed to the authentication module:

     debug           syslog(3) debugging information at LOG_DEBUG level.

     use_first_pass  If the authentication module is not the first in the
                     stack, and a previous module obtained the user’s
                     password, that password is used to authenticate the user.
                     If this fails, the authentication module returns failure
                     without prompting the user for a password.  This option
                     has no effect if the authentication module is the first
                     in the stack, or if no previous modules obtained the
                     user’s password.

     try_first_pass  This option is similar to the use_first_pass option,
                     except that if the previously obtained password fails,
                     the user is prompted for another password.

     keyfiles        Specify the comma-separated list of files in $HOME/.ssh
                     to check for SSH keys.  The default is

   SSH Session Management Module
     The SSH session management component provides functions to initiate
     (pam_sm_open_session()) and terminate (pam_sm_close_session()) sessions.
     The pam_sm_open_session() function starts an SSH agent, passing it any
     private keys it decrypted during the authentication phase, and sets the
     environment variables the agent specifies.  The pam_sm_close_session()
     function kills the previously started SSH agent by sending it a SIGTERM.

     The following options may be passed to the session management module:

     debug           syslog(3) debugging information at LOG_DEBUG level.


     $HOME/.ssh/identity   SSH1/OpenSSH RSA key
     $HOME/.ssh/id_dsa     OpenSSH DSA key
     $HOME/.ssh2/id_rsa_*  SSH2 RSA keys
     $HOME/.ssh2/id_dsa_*  SSH2 DSA keys


     ssh-agent(1), syslog(3), pam.conf(5), pam(8)


     Andrew J. Korty 〈〉 wrote pam_ssh.  Dag-Erling Smorgrav wrote
     the original OpenPAM support code.  Mark R V Murray wrote the original
     version of this manual page.