pam_ssh_agent_auth
SourceForge project page
Section: PAM (8)
Updated: 2009-07-21
Index
PAM_SSH_AGENT_AUTH
This module provides authentication via ssh-agent. It may take 5 arguments, file=/path/to/authorized_keys, debug, allow_user_owned_authorized_keys_file, authorized_keys_command=/path/to/command and authorized_keys_user=username.
If an ssh-agent listening at SSH_AUTH_SOCK can successfully authenticate that it has the secret key for a public key in the specified file, authentication is granted, otherwise authentication files
SUMMARY
- /etc/pam.d/sudo:
-
auth sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys
- /etc/sudoers:
-
Defaults env_keep += "SSH_AUTH_SOCK"
This configuration would permit anyone who has an SSH_AUTH_SOCK that manages the private key matching a public key in /etc/security/authorized_keys to execute sudo without having to enter a password. Note that the ssh-agent listening to SSH_AUTH_SOCK can either be local, or forwarded.
Unlike NOPASSWD, this still requires an authentication, it's just that the authentication is provided by ssh-agent, and not password entry.
EXPANSIONS
- ~ --- same as in shells, a user's Home directory
-
Automatically enables allow_user_owned_authorized_keys_file
- %h --- User's Home directory
-
Automatically enables allow_user_owned_authorized_keys_file
- %H --- The short-hostname
-
- %u --- Username
-
- %f --- FQDN
-
EXAMPLES
in /etc/pam.d/sudo
auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys
-
The default .ssh/authorized_keys file in a user's home-directory
auth sufficient pam_ssh_agent_auth.so file=%h/.ssh/authorized_keys
-
Same as above.
auth sufficient pam_ssh_agent_auth.so file=/secure/%H/%u/authorized_keys allow_user_owned_authorized_keys_file
-
On a host named foobar.baz.com, and a user named fred,
would expand to /secure/foobar/fred/authorized_keys.
In this case, we specified allow_user_owned_authorized_keys_file,
so fred would be able to manage that authorized_keys file himself.
auth sufficient pam_ssh_agent_auth.so file=/secure/%f/%u/authorized_keys
-
On a host named foobar.baz.com, and a user named fred,
would expand to /secure/foobar.baz.com/fred/authorized_keys.
In this case, we have not specified allow_user_owned_authorized_keys_file,
so this file must be owned by root.
auth sufficient pam_ssh_agent_auth.so authorized_keys_command=/path/to/command
-
Use /path/to/command, which will receive a single argument, the name of the user authenticating, to look up authorized keys. the output of the command is expected to be in authorized_keys2 format.
This runs the command as the user authenticating
auth sufficient pam_ssh_agent_auth.so authorized_keys_command=/path/to/command authorized_keys_user=nobody
-
Same as above, but runs the command as user 'nobody'
auth sufficient pam_ssh_agent_auth.so authorized_keys_command=/path/to/command file=~/.ssh/authorized_keys
-
Attempts to look up keys locally, and if not found, will consult authorized_keys_command. If both file and authorized_keys_command are specified, the module always checks file first, then command.
Index
- PAM_SSH_AGENT_AUTH
-
- SUMMARY
-
- EXPANSIONS
-
- EXAMPLES
-
Time: 04:05:53 GMT, July 22, 2009