xref: /freebsd/lib/libpam/modules/pam_ssh/pam_ssh.8 (revision 0e97acdf58fe27b09c4824a474b0344daf997c5f)
1.\" Copyright (c) 2001 Mark R V Murray
2.\" Copyright (c) 2001-2003 Networks Associates Technology, Inc.
3.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav
4.\" All rights reserved.
5.\"
6.\" This software was developed for the FreeBSD Project by ThinkSec AS and
7.\" NAI Labs, the Security Research Division of Network Associates, Inc.
8.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
9.\" DARPA CHATS research program.
10.\"
11.\" Redistribution and use in source and binary forms, with or without
12.\" modification, are permitted provided that the following conditions
13.\" are met:
14.\" 1. Redistributions of source code must retain the above copyright
15.\"    notice, this list of conditions and the following disclaimer.
16.\" 2. Redistributions in binary form must reproduce the above copyright
17.\"    notice, this list of conditions and the following disclaimer in the
18.\"    documentation and/or other materials provided with the distribution.
19.\" 3. The name of the author may not be used to endorse or promote
20.\"    products derived from this software without specific prior written
21.\"    permission.
22.\"
23.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33.\" SUCH DAMAGE.
34.\"
35.\" $FreeBSD$
36.\"
37.Dd October 7, 2011
38.Dt PAM_SSH 8
39.Os
40.Sh NAME
41.Nm pam_ssh
42.Nd authentication and session management with SSH private keys
43.Sh SYNOPSIS
44.Op Ar service-name
45.Ar module-type
46.Ar control-flag
47.Pa pam_ssh
48.Op Ar options
49.Sh DESCRIPTION
50The
51SSH
52authentication service module for PAM,
53.Nm
54provides functionality for two PAM categories:
55authentication
56and session management.
57In terms of the
58.Ar module-type
59parameter, they are the
60.Dq Li auth
61and
62.Dq Li session
63features.
64.Ss SSH Authentication Module
65The
66SSH
67authentication component
68provides a function to verify the identity of a user
69.Pq Fn pam_sm_authenticate ,
70by prompting the user for a passphrase and verifying that it can
71decrypt the target user's SSH key using that passphrase.
72.Pp
73The following options may be passed to the authentication module:
74.Bl -tag -width ".Cm use_first_pass"
75.It Cm use_first_pass
76If the authentication module
77is not the first in the stack,
78and a previous module
79obtained the user's password,
80that password is used
81to authenticate the user.
82If this fails,
83the authentication module returns failure
84without prompting the user for a password.
85This option has no effect
86if the authentication module
87is the first in the stack,
88or if no previous modules
89obtained the user's password.
90.It Cm try_first_pass
91This option is similar to the
92.Cm use_first_pass
93option,
94except that if the previously obtained password fails,
95the user is prompted for another password.
96.It Cm nullok
97Normally, keys with no passphrase are ignored for authentication
98purposes.
99If this option is set, keys with no passphrase will be taken into
100consideration, allowing the user to log in with a blank password.
101.El
102.Ss SSH Session Management Module
103The
104SSH
105session management component
106provides functions to initiate
107.Pq Fn pam_sm_open_session
108and terminate
109.Pq Fn pam_sm_close_session
110sessions.
111The
112.Fn pam_sm_open_session
113function starts an SSH agent,
114passing it any private keys it decrypted
115during the authentication phase,
116and sets the environment variables
117the agent specifies.
118The
119.Fn pam_sm_close_session
120function kills the previously started SSH agent
121by sending it a
122.Dv SIGTERM .
123.Pp
124The following options may be passed to the session management module:
125.Bl -tag -width ".Cm want_agent"
126.It Cm want_agent
127Start an agent even if no keys were decrypted during the
128authentication phase.
129.El
130.Sh FILES
131.Bl -tag -width ".Pa $HOME/.ssh/identity" -compact
132.It Pa $HOME/.ssh/identity
133SSH1 RSA key
134.It Pa $HOME/.ssh/id_rsa
135SSH2 RSA key
136.It Pa $HOME/.ssh/id_dsa
137SSH2 DSA key
138.It Pa $HOME/.ssh/id_ecdsa
139SSH2 ECDSA key
140.El
141.Sh SEE ALSO
142.Xr ssh-agent 1 ,
143.Xr pam.conf 5 ,
144.Xr pam 8
145.Sh AUTHORS
146The
147.Nm
148module was originally written by
149.An -nosplit
150.An Andrew J. Korty Aq Mt ajk@iu.edu .
151The current implementation was developed for the
152.Fx
153Project by
154ThinkSec AS and NAI Labs, the Security Research Division of Network
155Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035
156.Pq Dq CBOSS ,
157as part of the DARPA CHATS research program.
158This manual page was written by
159.An Mark R V Murray Aq Mt markm@FreeBSD.org .
160