| | 1 | .\" Copyright (c) 2001 Mark R V Murray |
| | 2 | .\" All rights reserved. |
| | 3 | .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. |
| | 4 | .\" All rights reserved. |
| | 5 | .\" |
| | 6 | .\" This software was developed for the FreeBSD Project by ThinkSec AS and |
| | 7 | .\" NAI Labs, the Security Research Division of Network Associates, Inc. |
| | 8 | .\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the |
| | 9 | .\" DARPA CHATS research program. |
| | 10 | .\" |
| | 11 | .\" Redistribution and use in source and binary forms, with or without |
| | 12 | .\" modification, are permitted provided that the following conditions |
| | 13 | .\" are met: |
| | 14 | .\" 1. Redistributions of source code must retain the above copyright |
| | 15 | .\" notice, this list of conditions and the following disclaimer. |
| | 16 | .\" 2. Redistributions in binary form must reproduce the above copyright |
| | 17 | .\" notice, this list of conditions and the following disclaimer in the |
| | 18 | .\" documentation and/or other materials provided with the distribution. |
| | 19 | .\" 3. The name of the author may not be used to endorse or promote |
| | 20 | .\" products derived from this software without specific prior written |
| | 21 | .\" permission. |
| | 22 | .\" |
| | 23 | .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
| | 24 | .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| | 25 | .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| | 26 | .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
| | 27 | .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| | 28 | .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| | 29 | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| | 30 | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| | 31 | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| | 32 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| | 33 | .\" SUCH DAMAGE. |
| | 34 | .\" |
| | 35 | .\" $FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.8,v 1.14 2005/09/22 05:35:24 des Exp $ |
| | 36 | .\" $DragonFly: src/lib/pam_module/pam_ssh/pam_ssh.8,v 1.1 2005/07/12 23:26:49 joerg Exp $ |
| | 37 | .\" |
| | 38 | .Dd November 26, 2001 |
| | 39 | .Dt PAM_SSH 8 |
| | 40 | .Os |
| | 41 | .Sh NAME |
| | 42 | .Nm pam_ssh |
| | 43 | .Nd authentication and session management with SSH private keys |
| | 44 | .Sh SYNOPSIS |
| | 45 | .Op Ar service-name |
| | 46 | .Ar module-type |
| | 47 | .Ar control-flag |
| | 48 | .Pa pam_ssh |
| | 49 | .Op Ar options |
| | 50 | .Sh DESCRIPTION |
| | 51 | The |
| | 52 | SSH |
| | 53 | authentication service module for PAM, |
| | 54 | .Nm |
| | 55 | provides functionality for two PAM categories: |
| | 56 | authentication |
| | 57 | and session management. |
| | 58 | In terms of the |
| | 59 | .Ar module-type |
| | 60 | parameter, they are the |
| | 61 | .Dq Li auth |
| | 62 | and |
| | 63 | .Dq Li session |
| | 64 | features. |
| | 65 | .Ss SSH Authentication Module |
| | 66 | The |
| | 67 | SSH |
| | 68 | authentication component |
| | 69 | provides a function to verify the identity of a user |
| | 70 | .Pq Fn pam_sm_authenticate , |
| | 71 | by prompting the user for a passphrase and verifying that it can |
| | 72 | decrypt the target user's SSH key using that passphrase. |
| | 73 | .Pp |
| | 74 | The following options may be passed to the authentication module: |
| | 75 | .Bl -tag -width ".Cm use_first_pass" |
| | 76 | .It Cm use_first_pass |
| | 77 | If the authentication module |
| | 78 | is not the first in the stack, |
| | 79 | and a previous module |
| | 80 | obtained the user's password, |
| | 81 | that password is used |
| | 82 | to authenticate the user. |
| | 83 | If this fails, |
| | 84 | the authentication module returns failure |
| | 85 | without prompting the user for a password. |
| | 86 | This option has no effect |
| | 87 | if the authentication module |
| | 88 | is the first in the stack, |
| | 89 | or if no previous modules |
| | 90 | obtained the user's password. |
| | 91 | .It Cm try_first_pass |
| | 92 | This option is similar to the |
| | 93 | .Cm use_first_pass |
| | 94 | option, |
| | 95 | except that if the previously obtained password fails, |
| | 96 | the user is prompted for another password. |
| | 97 | .It Cm nullok |
| | 98 | Normally, keys with no passphrase are ignored for authentication |
| | 99 | purposes. |
| | 100 | If this option is set, keys with no passphrase will be taken into |
| | 101 | consideration, allowing the user to log in with a blank password. |
| | 102 | .El |
| | 103 | .Ss SSH Session Management Module |
| | 104 | The |
| | 105 | SSH |
| | 106 | session management component |
| | 107 | provides functions to initiate |
| | 108 | .Pq Fn pam_sm_open_session |
| | 109 | and terminate |
| | 110 | .Pq Fn pam_sm_close_session |
| | 111 | sessions. |
| | 112 | The |
| | 113 | .Fn pam_sm_open_session |
| | 114 | function starts an SSH agent, |
| | 115 | passing it any private keys it decrypted |
| | 116 | during the authentication phase, |
| | 117 | and sets the environment variables |
| | 118 | the agent specifies. |
| | 119 | The |
| | 120 | .Fn pam_sm_close_session |
| | 121 | function kills the previously started SSH agent |
| | 122 | by sending it a |
| | 123 | .Dv SIGTERM . |
| | 124 | .Pp |
| | 125 | The following options may be passed to the session management module: |
| | 126 | .Bl -tag -width ".Cm want_agent" |
| | 127 | .It Cm want_agent |
| | 128 | Start an agent even if no keys were decrypted during the |
| | 129 | authentication phase. |
| | 130 | .El |
| | 131 | .Sh FILES |
| | 132 | .Bl -tag -width ".Pa $HOME/.ssh/identity" -compact |
| | 133 | .It Pa $HOME/.ssh/identity |
| | 134 | SSH1 RSA key |
| | 135 | .It Pa $HOME/.ssh/id_rsa |
| | 136 | SSH2 RSA key |
| | 137 | .It Pa $HOME/.ssh/id_dsa |
| | 138 | SSH2 DSA key |
| | 139 | .El |
| | 140 | .Sh SEE ALSO |
| | 141 | .Xr ssh-agent 1 , |
| | 142 | .Xr pam.conf 5 , |
| | 143 | .Xr pam 8 |
| | 144 | .Sh AUTHORS |
| | 145 | The |
| | 146 | .Nm |
| | 147 | module was originally written by |
| | 148 | .An -nosplit |
| | 149 | .An "Andrew J. Korty" Aq ajk@iu.edu . |
| | 150 | The current implementation was developed for the |
| | 151 | .Fx |
| | 152 | Project by |
| | 153 | ThinkSec AS and NAI Labs, the Security Research Division of Network |
| | 154 | Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 |
| | 155 | .Pq Dq CBOSS , |
| | 156 | as part of the DARPA CHATS research program. |
| | 157 | This manual page was written by |
| | 158 | .An "Mark R V Murray" Aq markm@FreeBSD.org . |
nant's projects / dragonfly.git / blame_incremental