1 .\" Copyright (c) 2001 Mark R V Murray
2 .\" All rights reserved.
3 .\" Copyright (c) 2001 Networks Associates Technology, Inc.
4 .\" All rights reserved.
6 .\" This software was developed for the FreeBSD Project by ThinkSec AS and
7 .\" NAI Labs, the Security Research Division of Network Associates, Inc.
8 .\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
9 .\" DARPA CHATS research program.
11 .\" Redistribution and use in source and binary forms, with or without
12 .\" modification, are permitted provided that the following conditions
14 .\" 1. Redistributions of source code must retain the above copyright
15 .\" notice, this list of conditions and the following disclaimer.
16 .\" 2. Redistributions in binary form must reproduce the above copyright
17 .\" notice, this list of conditions and the following disclaimer in the
18 .\" documentation and/or other materials provided with the distribution.
19 .\" 3. The name of the author may not be used to endorse or promote
20 .\" products derived from this software without specific prior written
23 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 .\" $FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.8,v 1.8.2.2 2002/07/03 21:41:30 des Exp $
36 .\" $DragonFly: src/lib/libpam/modules/pam_ssh/Attic/pam_ssh.8,v 1.2 2003/06/17 04:26:50 dillon Exp $
53 authentication service module for PAM,
55 provides functionality for two PAM categories:
57 and session management.
60 parameter, they are the
65 It also provides null functions for the remaining categories.
66 .Ss SSH Authentication Module
69 authentication component
70 provides a function to verify the identity of a user
71 .Pq Fn pam_sm_authenticate ,
72 by prompting the user for a passphrase and verifying that it can
73 decrypt the target user's SSH key using that passphrase.
75 The following options may be passed to the authentication module:
76 .Bl -tag -width ".Cm use_first_pass"
79 debugging information at
83 If the authentication module
84 is not the first in the stack,
86 obtained the user's password,
88 to authenticate the user.
90 the authentication module returns failure
91 without prompting the user for a password.
92 This option has no effect
93 if the authentication module
94 is the first in the stack,
95 or if no previous modules
96 obtained the user's password.
98 This option is similar to the
101 except that if the previously obtained password fails,
102 the user is prompted for another password.
104 .Ss SSH Session Management Module
107 session management component
108 provides functions to initiate
109 .Pq Fn pam_sm_open_session
111 .Pq Fn pam_sm_close_session
114 .Fn pam_sm_open_session
115 function starts an SSH agent,
116 passing it any private keys it decrypted
117 during the authentication phase,
118 and sets the environment variables
121 .Fn pam_sm_close_session
122 function kills the previously started SSH agent
126 The following options may be passed to the session management module:
127 .Bl -tag -width ".Cm use_first_pass"
130 debugging information at
135 .Bl -tag -width ".Pa $HOME/.ssh2/id_dsa_*" -compact
136 .It Pa $HOME/.ssh/identity
137 SSH1/OpenSSH RSA key.
138 .It Pa $HOME/.ssh/id_dsa
140 .It Pa $HOME/.ssh2/id_rsa_*
142 .It Pa $HOME/.ssh2/id_dsa_*