Provided by: libpam-ssh_2.3+ds-1_amd64 bug

NAME

     pam_ssh — authentication and session management with SSH private keys

SYNOPSIS

     [service-name] module-type control-flag pam_ssh [options]

DESCRIPTION

     The SSH authentication service module for PAM, pam_ssh provides functionality for two PAM
     categories: authentication and session management.  In terms of the module-type parameter,
     they are the “auth” and “session” features.  It also provides null functions for the
     remaining categories.

   SSH Authentication Module
     The SSH authentication component verifies the identity of a user by prompting the user for a
     passphrase and verifying that it can decrypt at least one of the user's SSH login (or
     authentication) keys using that passphrase.

     The user's SSH login keys must be either located or symbolically linked into the per-user
     dedicated folder ~/.ssh/login-keys.d/ in the user's home directory.

     The following options may be passed to the authentication module:
     debug   syslog(3) debugging information at LOG_DEBUG level.
     use_first_pass
             If the authentication module is not the first in the stack, and a previous module
             obtained the user's password, that password is used to decrypt the user's SSH login
             keys.  If this fails, then the authentication module returns failure without
             prompting the user for a passphrase.
     try_first_pass
             Similar to the use_first_pass option, except that if the previously obtained
             password fails to decrypt any of the SSH login keys, then the user is prompted for
             an SSH passphrase.
     nullok  Allow SSH keys with no passphrase.

     If neither use_first_pass nor try_first_pass is specified, pam_ssh will unconditionally ask
     for an SSH passphrase.

     The now deprecated name allow_blank_passphrase for nullok is kept for compatibility reasons.

   SSH Session Management Module
     The SSH session management component initiates sessions by launching an SSH agent, passing
     it any user's SSH login keys successfully decrypted during the authentication phase and any
     additional user SSH session keys successfully decrypted, and sets dedicated environment
     variables accordingly; the environment variable TMPDIR, which can be set through the
     pam_tmpdir module for instance, is also honoured by being passed to the SSH agent.

     The SSH session management component terminates the session by killing the previously
     launched SSH agent by sending it a SIGTERM.

     The traditional SSH keys ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, and
     ~/.ssh/id_ed25519 are considered as the default SSH session keys.  Nonetheless, extra user
     SSH session keys can be either located or symbolically linked into the per-user dedicated
     folder ~/.ssh/session-keys.d/ in the user's home directory.

     Provided that they have been successfully decrypted, the SSH session management passes to
     the launched SSH agent first the session SSH keys in lexical order, second the login SSH
     keys in lexical order, and finally the traditional SSH keys in the reverse order cited
     above.  Since the SSH agent keeps in its memory for each passed key its first position (but
     its last comment), each SSH key rank can be easily overwritten with an appropriate symbolic
     link placed in ~/.ssh/session-keys.d/ or ~/.ssh/login-keys.d/; this is especially true for
     the traditional SSH keys.  The involved lexical order is performed against the SSH key file
     basenames (according to the C/POSIX locale character collation rules).  Because actually
     their basenames are passed as comments, their effective order might be easily checked with
     an appropriate SSH agent helper as ssh-add(3).  As final remark, keep in mind that the SSH
     agent may place itself SSH keys with protocol 1 before SSH keys with protocol 2.

     The following option may be passed to the session management module:
     debug   syslog(3) debugging information at LOG_DEBUG level.

INFORMATION LEAKS

     Be careful with the using the try_first_pass option when pam_ssh is the first authentication
     module because it will then leak information about existing users without login keys: such
     users will not be asked for a specific SSH passphrase, whereas non-existing users and
     existing users with login keys will be asked for a passphrase.

FILES

     ~/.ssh/
             This directory is the default per-user location for all user-specific SSH
             configuration and SSH authentication information as expected by SSH and its friends.

     ~/.ssh/id_rsa
     ~/.ssh/id_dsa
     ~/.ssh/id_ecdsa
     ~/.ssh/id_ed25519
             Contains the traditional private key for authentication.  These files contain
             sensitive data and should be readable by the user but not accessible by others: any
             traditional private key file that is accessible by others is simply ignored.  While
             the SSH authentication component ignores the traditional private keys, the SSH
             session management component passes any successfully decrypted traditional key to
             the launched SSH agent.

     ~/.ssh/login-keys.d/
             This directory is the dedicated per-user location for files or symbolic links to
             files that contains SSH private keys considered by the SSH authentication component.
             pam_ssh ignores any private key file that is accessible by others or that possesses
             .disabled or .frozen as suffix.  Each login key successfully decrypted is passed by
             the SSH session management component to the launched SSH agent.

     ~/.ssh/session-keys.d/
             This directory is the dedicated per-user location for files or symbolic links to
             files that contains (extra) SSH private keys considered only by the SSH session
             management component.  pam_ssh ignores any private key file that is accessible by
             others or that possesses .disabled or .frozen as suffix.  Each session key
             successfully decrypted is passed to the launched SSH agent.

     /var/log/auth.log
             Usual log file for syslog(3).

     /usr/share/pam-configs/ssh
             pam_ssh Debian package supplied authentication profile as managed by
             pam-auth-update(8).

SEE ALSO

     ssh(1), ssh-agent(1), ssh-add(1), ssh-keygen(1), syslog(3), pam.conf(5), pam.d(5), pam(8),
     pam-auth-update(8), pam_tmp

AUTHORS

     Andrew J. Korty <ajk@iu.edu> wrote pam_ssh.  Dag-Erling Smorgrav wrote the original OpenPAM
     support code.  Mark R V Murray wrote the original version of this manual page.  Jens Peter
     Secher introduced the login-key concept.  Refreshed for Debian by Jerome Benoit
     <calculus@rezozer.net>. pam_ssh is currently maintained by Wolfgang Rosenauer.

                                         January 14, 2019