how to use PAM auth for ssh key clients?

sd flag

How to unlock ssh private keys with PAM, so I can use fingerprintd module?

There are many questions here discussing PAM and kerberos for sshd auth, but I can't find anything on the client side.

Also, I do not want to use a ssh-agent at this time.

My setup uses one key per service, defined in the user's ~/.ssh/config to avoid key-identification leak (i.e. it only tries the correct key to each known service, and no key to unknown ones)

Also there's no convenience sshkey-agent. User must type passwords at all times as one last confirmation step.

One convenience i'd like to add is PAM auth instead, so they can use fingerprintd (finger print readers)

Since it is the client side, a modern ssh code can be assumed (e.g. OpenSSH 9.2+). The uses cases are ssh, scp and git (via fetches, which I assume just use ssh, and signed commits git config --local user.signingkey=/home/user/.ssh/somekey which i know nothing about what makes it happen, but assume it is regular sshkey tools)

Is there any solution to this?

I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.