Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 07-03-2019, 12:31 AM   #1
LQ Newbie
Registered: Nov 2018
Posts: 4

Rep: Reputation: Disabled
How pam authentication works with ssh keys ?

does pam auth module get called while using key for ssh login ?

below is my sshd config setting ::

# Enable public key authentication
PubkeyAuthentication yes

# Never use host-based authentication. It can be exploited.
IgnoreRhosts yes
IgnoreUserKnownHosts yes
HostbasedAuthentication no

# Enable PAM to enforce system wide rules
UsePAM yes
Old 07-03-2019, 07:18 AM   #2
Senior Member
Registered: Nov 2013
Location: Tokyo
Distribution: Redhat/Centos, Ubuntu, Raspbian, Fedora, Alpine, Cirros, OpenSuse/SLES
Posts: 3,464

Rep: Reputation: 913Reputation: 913Reputation: 913Reputation: 913Reputation: 913Reputation: 913Reputation: 913Reputation: 913
Judging from, sshd only uses PAM authentication with password-based login.

The auth section of PAM stack is executed only for the password (or keyboard-interactive too?) authentication. For others, the auth section is skipped. Even though it might be confusing at first, this is how it always was and the only way how it makes sense, since for example in public key authentication, you do not have any authentication tokens that could PAM accept in pam_authenticate(). Therefore SSH calls just account and session sections.

Last edited by berndbausch; 07-03-2019 at 07:47 AM.
Old 07-03-2019, 11:36 PM   #3
LQ Newbie
Registered: Nov 2018
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks this was helpful .
Old 07-03-2019, 11:58 PM   #4
Senior Member
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,171
Blog Entries: 3

Rep: Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064
Also, look at the AuthenticationMethods configuration directive in the manuage page for sshd_config. You can use it to require multiple authentication methods in a particular sequence. So if you want PAM after getting a valid key-based authentication then that's doable.

Last edited by Turbocapitalist; 07-04-2019 at 12:05 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
PAM Authentication failure Authentication token no longer valid, allowed in anyway quikster Linux - Server 1 03-12-2015 02:37 AM
/etc/pam.d/system-auth-ac vs. /etc/pam.d/password-auth-ac vs. /etc/pam.d/sshd christr Red Hat 2 08-01-2014 07:08 PM
[SOLVED] Is ssh keys authentication more secure than password authentication? GrepAwkSed Linux - Security 6 03-17-2012 08:25 PM
PAM auth with SecurID and SSH keys jdvail Linux - Security 2 06-12-2009 07:39 AM
SSH host keys VS SSH keys kenneho Linux - Security 3 09-11-2008 06:03 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:14 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration