Scroll to navigation

PAM_SSHAUTH(8) System Manager's Manual PAM_SSHAUTH(8)

NAME

pam_sshauth - PAM module which authenticates against an ssh server

SYNOPSIS

pam_sshauth.so [debug] [nostrict] [shm_askpass] [authtries=tries] [try_first_pass] [host=host] [port=port]

DESCRIPTION

pam_sshauth is a PAM module that can be used to authenticate a user based on whether they can ssh into an external machine. It is written using sshlib.

The following PAM environment list variables are set by the module: PAM_SSHAUTH_HOST and PAM_SSHAUTH_PORT. Both of these reflect what was passed on the PAM command line to the module.

The module will attempt to initiate an SSH session with the host specified. It will support public-key, simple password, and keyboard-interactive authentication methods. Note that, in order for keyboard-interactive methods to work, the SSH server must have enabled ChallengeResponseAuthentication in it's configuration. This would be needed if you'd like the pam_sshauth module to handle password expiry messages when talking to the SSH server.

OPTIONS

debug

Log debug information to syslog. The LOG_AUTH facility is used.

nostrict

If contacting a host for which we don't have an entry in /etc/ssh/known_hosts, ask, via the pam prompts, if you'd like to trust this host. The default will be to fail the authentication.

shm_askpass

Properly handle interaction with the ASKPASS helper shm_askpass to allow you to spawn ssh sockets.

host=host

Specifies the host we're to authenticate with.

port=port

Specifies the port we're to contact the remote ssh server on (if not specified, it defaults to 22).

authtries=num

Specifies the number of times we will try to authenticate. Defaults to 3. Note that this is only the number of times pam_sshauth will try. If the SSH server has a smaller number specified via MaxAuthTries, pam_sshauth will not override that.

try_first_pass

Use the authentication token previously obtained by another module in the pam stack. If the token cannot be obtained, the pam_sshauth will prompt for a password.

MODULE TYPES PROVIDED

Only the auth module type is provided.

RETURN VALUES

PAM_SUCCESS

The user authenticated successfully.

PAM_AUTH_ERR

The user did not authenticate successfully.

PAM_SYSTEM_ERR

A system error occurred in establishing the ssh connection to the host specified. Check the syslog for details.

EXAMPLES

For an authentication line:



        auth required pam_sshauth.so debug nostrict host=192.168.0.254 port=22

SEE ALSO

pam.conf(5), pam.d(5), pam(7)

FILES

/etc/ssh/ssh_known_hosts

Servers to be authenticated must have an entry present in this file. The format of this file is documented in the sshd(8) man page.

AUTHOR

pam_sshauth was written by Scott Balneaves <sbalneav@ltsp.org>.

2015-07-02