PAM_SSH(8) | System Manager's Manual | PAM_SSH(8) |
pam_ssh
—
auth
” and
“session
” features.
pam_sm_authenticate
()), by prompting the user
for a passphrase and verifying that it can decrypt the target user's SSH key
using that passphrase.
The following options may be passed to the authentication module:
use_first_pass
try_first_pass
use_first_pass
option, except that if the previously obtained password fails, the user is
prompted for another password.nullok
pam_sm_open_session
()) and terminate
(pam_sm_close_session
()) sessions. The
pam_sm_open_session
() function starts an SSH agent,
passing it any private keys it decrypted during the authentication phase, and
sets the environment variables the agent specifies. The
pam_sm_close_session
() function kills the previously
started SSH agent by sending it a SIGTERM
.
The following options may be passed to the session management module:
want_agent
pam_ssh
module was originally written by
Andrew J. Korty
<ajk@iu.edu>. The current
implementation was developed for the FreeBSD Project
by ThinkSec AS and NAI Labs, the Security Research Division of Network
Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
(“CBOSS”), as part of the DARPA CHATS research program. This
manual page was written by Mark R V Murray
<markm@FreeBSD.org>.
pam_ssh
module implements what is fundamentally a
password authentication scheme. Care should be taken to only use this module
over a secure session (secure TTY, encrypted session, etc.), otherwise the
user's SSH passphrase could be compromised.
Additional consideration should be given to the use of
pam_ssh
. Users often assume that file permissions
are sufficient to protect their SSH keys, and thus use weak or no
passphrases. Since the system administrator has no effective means of
enforcing SSH passphrase quality, this has the potential to expose the
system to security risks.
December 16, 2011 | NetBSD 9.4 |