Provided by: libpam-ssh_2.0-1_amd64 
NAME
pam_ssh — authentication and session management with SSH private keys
SYNOPSIS
[service-name] module-type control-flag pam_ssh [options]
DESCRIPTION
The SSH authentication service module for PAM, pam_ssh provides functionality for two PAM categories:
authentication and session management. In terms of the module-type parameter, they are the “auth” and
“session” features. It also provides null functions for the remaining categories.
SSH Authentication Module
The SSH authentication component verifies the identity of a user by prompting the user for a passphrase
and verifying that it can decrypt at least one of the user's SSH login (or authentication) keys using
that passphrase.
The user's SSH login keys must be either located or symbolically linked to in the per-user dedicated
folder ~/.ssh/login-keys.d/ in the user's home directory.
The following options may be passed to the authentication module:
debug syslog(3) debugging information at LOG_DEBUG level.
use_first_pass
If the authentication module is not the first in the stack, and a previous module obtained the
user's password, that password is used to decrypt the user's SSH login keys. If this fails, then
the authentication module returns failure without prompting the user for a passphrase.
try_first_pass
Similar to the use_first_pass option, except that if the previously obtained password fails to
decrypt any of the SSH login keys, then the user is prompted for a SSH passphrase.
nullok Allow SSH keys with no passphrase.
If neither use_first_pass nor try_first_pass is specified, pam_ssh will unconditionally ask for an SSH
passphrase.
The now deprecated name allow_blank_passphrase for nullok is kept for compatibility reasons.
SSH Session Management Module
The SSH session management component initiates sessions by launching a SSH agent, passing it any user's
SSH login keys successfully decrypted during the authentication phase and any user's SSH session keys
then successfully decrypted, and sets dedicated environment variables accordingly; the environment
variable TMPDIR, which can be set through the pam_tmpdir module for instance, is also honoured by being
passed to the SSH agent.
The SSH session management component terminates the session by killing the previously launched SSH agent
by sending it a SIGTERM.
The traditional SSH keys ~/.ssh/identity, ~/.ssh/id_rsa, ~/.ssh/id_dsa, and ~/.ssh/id_ecdsa are
considered as the default SSH session keys. Nonetheless, extra user's SSH session keys can be either
located or symbolically linked to in the per-user dedicated folder ~/.ssh/session-keys.d/ in the user's
home directory.
The following option may be passed to the session management module:
debug syslog(3) debugging information at LOG_DEBUG level.
INFORMATION LEAKS
Be careful with the using the try_first_pass option when pam_ssh is the first authentication module
because it will then leak information about existing users without login keys: such users will not be
asked for a specific SSH passphrase, whereas non-existing users and existing users with login keys will
be asked for a passphrase.
FILES
~/.ssh/
This directory is the default per-user location for all user-specific SSH configuration and SSH
authentication information as expected by SSH and its friends.
~/.ssh/identity
~/.ssh/id_rsa
~/.ssh/id_dsa
~/.ssh/id_ecdsa
Contains the traditional private key for authentication. These files contain sensitive data and
should be readable by the user but not accessible by others: any traditional private key file
that is accessible by others is simply ignored. While the SSH authentication management
component ignores the traditional private keys, the SSH session management component passes any
successfully decrypted traditional key to the launched SSH agent.
~/.ssh/login-keys.d/
This directory is the dedicated per-user location for files or symbolic links to files that
contains SSH private keys considered by the SSH authentication management component. pam_ssh
ignores any private key file that is accessible by others or that possesses .disabled or .frozen
as suffix. Each login key successfully decrypted is passed by the SSH session management
component to the lauched SSH agent.
~/.ssh/session-keys.d/
This directory is the dedicated per-user location for files or symbolic links to files that
contains (extra) SSH private keys considered only by the SSH session management component.
pam_ssh ignores any private key file that is accessible by others or that possesses .disabled or
.frozen as suffix. Each session key successfully decrypted is passed to the lauched SSH agent.
/var/log/auth.log
Usual log file for syslog(3).
/usr/share/pam-configs/ssh
pam_ssh supplied authentication profile as managed by pam-auth-update(8).
SEE ALSO
ssh(1), ssh-agent(1), ssh-add(1), ssh-keygen(1), syslog(3), pam.conf(5), pam.d(5), pam(8),
pam-auth-update(8), pam_tmp
AUTHORS
Andrew J. Korty <ajk@iu.edu> wrote pam_ssh. Dag-Erling Smorgrav wrote the original OpenPAM support code.
Mark R V Murray wrote the original version of this manual page. Jens Peter Secher introduced the login-
key concept. Refreshed for Debian by Jerome Benoit <calculus@rezozer.net>.
Debian November 20, 2013 PAM_SSH(8)