NAME

       pam_sshauth - PAM module which authenticates against an ssh server

SYNOPSIS

       pam_sshauth.so [debug] [nostrict] [shm_askpass] [authtries=tries] [try_first_pass] [host=host]
                      [port=port]

DESCRIPTION

       pam_sshauth is a PAM module that can be used to authenticate a user based on whether they can ssh into an
       external machine.  It is written using sshlib.

       The following PAM environment list variables are set by the module: PAM_SSHAUTH_HOST and
       PAM_SSHAUTH_PORT.  Both of these reflect what was passed on the PAM command line to the module.

       The module will attempt to initiate an SSH session with the host specified.  It will support public-key,
       simple password, and keyboard-interactive authentication methods.  Note that, in order for keyboard-
       interactive methods to work, the SSH server must have enabled ChallengeResponseAuthentication in it's
       configuration.  This would be needed if you'd like the pam_sshauth module to handle password expiry
       messages when talking to the SSH server.

OPTIONS

       debug
           Log debug information to syslog.  The LOG_AUTH facility is used.

       nostrict
           If contacting a host for which we don't have an entry in /etc/ssh/known_hosts, ask, via the pam
           prompts, if you'd like to trust this host.  The default will be to fail the authentication.

       shm_askpass
           Properly handle interaction with the ASKPASS helper shm_askpass to allow you to spawn ssh sockets.

       host=host
           Specifies the host we're to authenticate with.

       port=port
           Specifies the port we're to contact the remote ssh server on (if not specified, it defaults to 22).

       authtries=num
           Specifies the number of times we will try to authenticate.  Defaults to 3.  Note that this is only
           the number of times pam_sshauth will try.  If the SSH server has a smaller number specified via
           MaxAuthTries, pam_sshauth will not override that.

       try_first_pass
           Use the authentication token previously obtained by another module in the pam stack.  If the token
           cannot be obtained, the pam_sshauth will prompt for a password.

MODULE TYPES PROVIDED

       Only the auth module type is provided.

RETURN VALUES

       PAM_SUCCESS
           The user authenticated successfully.

       PAM_AUTH_ERR
           The user did not authenticate successfully.

       PAM_SYSTEM_ERR
           A system error occurred in establishing the ssh connection to the host specified.  Check the syslog
           for details.

EXAMPLES

       For an authentication line:

                   auth required pam_sshauth.so debug nostrict host=192.168.0.254 port=22

SEE ALSO

       pam.conf(5), pam.d(5), pam(7)

FILES

       /etc/ssh/ssh_known_hosts
           Servers to be authenticated must have an entry present in this file. The format of this file is
           documented in the sshd(8) man page.

AUTHOR

       pam_sshauth was written by Scott Balneaves <sbalneav@ltsp.org>.

                                                   2015-07-02                                     PAM_SSHAUTH(8)