How pam authentication works with ssh keys ?

paraggupta1989 · 07-03-2019, 12:31 AM

does pam auth module get called while using key for ssh login ?

below is my sshd config setting ::

# Enable public key authentication
PubkeyAuthentication yes

# Never use host-based authentication. It can be exploited.
IgnoreRhosts yes
IgnoreUserKnownHosts yes
HostbasedAuthentication no

# Enable PAM to enforce system wide rules
UsePAM yes

berndbausch · 07-03-2019, 07:18 AM

Judging from https://bugzilla.redhat.com/show_bug.cgi?id=1492313, sshd only uses PAM authentication with password-based login.

Quote:

The auth section of PAM stack is executed only for the password (or keyboard-interactive too?) authentication. For others, the auth section is skipped. Even though it might be confusing at first, this is how it always was and the only way how it makes sense, since for example in public key authentication, you do not have any authentication tokens that could PAM accept in pam_authenticate(). Therefore SSH calls just account and session sections.

paraggupta1989 · 07-03-2019, 11:36 PM

Thanks this was helpful .

Turbocapitalist · 07-03-2019, 11:58 PM

Also, look at the AuthenticationMethods configuration directive in the manuage page for sshd_config. You can use it to require multiple authentication methods in a particular sequence. So if you want PAM after getting a valid key-based authentication then that's doable.