pam_sshauth - PAM module which authenticates against an ssh server
[debug] [nostrict] [shm_askpass] [authtries= tries] [try_first_pass]
[host= host] [port=port]
pam_sshauth is a PAM module that can be used to authenticate a user based on
whether they can ssh into an external machine. It is written using sshlib.
The following PAM environment list variables are set by the module:
. Both of these reflect
what was passed on the PAM command line to the module.
The module will attempt to initiate an SSH session with the host specified. It
will support public-key, simple password, and keyboard-interactive
authentication methods. Note that, in order for keyboard-interactive methods
to work, the SSH server must have enabled
in it's configuration. This would be
needed if you'd like the pam_sshauth
module to handle password expiry
messages when talking to the SSH server.
Log debug information to syslog. The LOG_AUTH
facility is used.
If contacting a host for which we don't have
an entry in /etc/ssh/known_hosts, ask, via the pam prompts, if you'd like to
trust this host. The default will be to fail the authentication.
Properly handle interaction with the ASKPASS
helper shm_askpass to allow you to spawn ssh sockets.
Specifies the host we're to authenticate
Specifies the port we're to contact the remote
ssh server on (if not specified, it defaults to 22).
Specifies the number of times we will try to
authenticate. Defaults to 3. Note that this is only the number of times
pam_sshauth will try. If the SSH server has a smaller number specified
via MaxAuthTries, pam_sshauth will not override that.
Use the authentication token previously
obtained by another module in the pam stack. If the token cannot be obtained,
the pam_sshauth will prompt for a password.
Only the auth
module type is provided.
The user authenticated successfully.
The user did not authenticate
A system error occurred in establishing the
ssh connection to the host specified. Check the syslog for details.
For an authentication line:
auth required pam_sshauth.so debug nostrict host=192.168.0.254 port=22
Servers to be authenticated must have an entry
present in this file. The format of this file is documented in the
sshd(8) man page.
pam_sshauth was written by Scott Balneaves <email@example.com>.