how to use PAM auth for ssh key clients?

gcb

2/9/24, 7:20 PM

How to unlock ssh private keys with PAM, so I can use fingerprintd module?

There are many questions here discussing PAM and kerberos for sshd auth, but I can't find anything on the client side.

Also, I do not want to use a ssh-agent at this time.

My setup uses one key per service, defined in the user's ~/.ssh/config to avoid key-identification leak (i.e. it only tries the correct key to each known service, and no key to unknown ones)

Also there's no convenience sshkey-agent. User must type passwords at all times as one last confirmation step.

One convenience i'd like to add is PAM auth instead, so they can use fingerprintd (finger print readers)

Since it is the client side, a modern ssh code can be assumed (e.g. OpenSSH 9.2+). The uses cases are ssh, scp and git (via fetches, which I assume just use ssh, and signed commits git config --local user.signingkey=/home/user/.ssh/somekey which i know nothing about what makes it happen, but assume it is regular sshkey tools)

Is there any solution to this?

147

0 + 2

security

ssh

git

pam

Halil Sen

4/4/24, 2:35 PM

I tried to use the `pam_tid.so` trick given [here](https://sixcolors.com/post/2020/11/quick-tip-enable-touch-id-for-sudo/) for `sudo` on `sshd` but didn't work. So git must be calling something else at the background. Fwiw, on mac `ssh-add -K` adds the key to the keychain and so user needs to put the password once per login. If `ssh-add -A` is added to .bashrc (or equivalent) than no need to put in the password at all.

gcb

4/15/24, 10:46 AM

Thanks for the info. But this question is to avoid having the key always unlocked in memory to begin with. which is what a ssh-agent/ssh-add does. Completely different things i'm afraid.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: how to use PAM auth for ssh key clients?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.