xref: /freebsd/lib/libpam/modules/pam_ssh/pam_ssh.8 (revision 7fdf597e96a02165cfe22ff357b857d5fa15ed8a)
1.\" Copyright (c) 2001 Mark R V Murray
2.\" Copyright (c) 2001-2003 Networks Associates Technology, Inc.
3.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav
4.\" All rights reserved.
5.\"
6.\" This software was developed for the FreeBSD Project by ThinkSec AS and
7.\" NAI Labs, the Security Research Division of Network Associates, Inc.
8.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
9.\" DARPA CHATS research program.
10.\"
11.\" Redistribution and use in source and binary forms, with or without
12.\" modification, are permitted provided that the following conditions
13.\" are met:
14.\" 1. Redistributions of source code must retain the above copyright
15.\"    notice, this list of conditions and the following disclaimer.
16.\" 2. Redistributions in binary form must reproduce the above copyright
17.\"    notice, this list of conditions and the following disclaimer in the
18.\"    documentation and/or other materials provided with the distribution.
19.\" 3. The name of the author may not be used to endorse or promote
20.\"    products derived from this software without specific prior written
21.\"    permission.
22.\"
23.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33.\" SUCH DAMAGE.
34.\"
35.Dd October 7, 2011
36.Dt PAM_SSH 8
37.Os
38.Sh NAME
39.Nm pam_ssh
40.Nd authentication and session management with SSH private keys
41.Sh SYNOPSIS
42.Op Ar service-name
43.Ar module-type
44.Ar control-flag
45.Pa pam_ssh
46.Op Ar options
47.Sh DESCRIPTION
48The
49SSH
50authentication service module for PAM,
51.Nm
52provides functionality for two PAM categories:
53authentication
54and session management.
55In terms of the
56.Ar module-type
57parameter, they are the
58.Dq Li auth
59and
60.Dq Li session
61features.
62.Ss SSH Authentication Module
63The
64SSH
65authentication component
66provides a function to verify the identity of a user
67.Pq Fn pam_sm_authenticate ,
68by prompting the user for a passphrase and verifying that it can
69decrypt the target user's SSH key using that passphrase.
70.Pp
71The following options may be passed to the authentication module:
72.Bl -tag -width ".Cm use_first_pass"
73.It Cm use_first_pass
74If the authentication module
75is not the first in the stack,
76and a previous module
77obtained the user's password,
78that password is used
79to authenticate the user.
80If this fails,
81the authentication module returns failure
82without prompting the user for a password.
83This option has no effect
84if the authentication module
85is the first in the stack,
86or if no previous modules
87obtained the user's password.
88.It Cm try_first_pass
89This option is similar to the
90.Cm use_first_pass
91option,
92except that if the previously obtained password fails,
93the user is prompted for another password.
94.It Cm nullok
95Normally, keys with no passphrase are ignored for authentication
96purposes.
97If this option is set, keys with no passphrase will be taken into
98consideration, allowing the user to log in with a blank password.
99.El
100.Ss SSH Session Management Module
101The
102SSH
103session management component
104provides functions to initiate
105.Pq Fn pam_sm_open_session
106and terminate
107.Pq Fn pam_sm_close_session
108sessions.
109The
110.Fn pam_sm_open_session
111function starts an SSH agent,
112passing it any private keys it decrypted
113during the authentication phase,
114and sets the environment variables
115the agent specifies.
116The
117.Fn pam_sm_close_session
118function kills the previously started SSH agent
119by sending it a
120.Dv SIGTERM .
121.Pp
122The following options may be passed to the session management module:
123.Bl -tag -width ".Cm want_agent"
124.It Cm want_agent
125Start an agent even if no keys were decrypted during the
126authentication phase.
127.El
128.Sh FILES
129.Bl -tag -width ".Pa $HOME/.ssh/id_ed25519" -compact
130.It Pa $HOME/.ssh/id_rsa
131SSH2 RSA key
132.It Pa $HOME/.ssh/id_dsa
133SSH2 DSA key
134.It Pa $HOME/.ssh/id_ecdsa
135SSH2 ECDSA key
136.It Pa $HOME/.ssh/id_ed25519
137SSH2 Ed25519 key
138.El
139.Sh SEE ALSO
140.Xr ssh-agent 1 ,
141.Xr pam 3 ,
142.Xr pam.conf 5
143.Sh AUTHORS
144The
145.Nm
146module was originally written by
147.An -nosplit
148.An Andrew J. Korty Aq Mt ajk@iu.edu .
149The current implementation was developed for the
150.Fx
151Project by
152ThinkSec AS and NAI Labs, the Security Research Division of Network
153Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035
154.Pq Dq CBOSS ,
155as part of the DARPA CHATS research program.
156This manual page was written by
157.An Mark R V Murray Aq Mt markm@FreeBSD.org .
158