SSH Communications Security
Previous Next Up [Contents] [Index]

    About This Document>>
    Introduction to SSH Secure Shell >>
    Configuring SSH Secure Shell >>
    Authentication >>
        Server Authentication>>
        User Authentication>>
            Password Authentication
            Public-Key Authentication
            Host-Based Authentication
            Certificate Authentication
            Kerberos Authentication
            Pluggable Authentication Module (PAM)
            SecurID
        Keyboard-Interactive Authentication >>
    Log Messages >>
    Using SSH Secure Shell >>
    Tool Syntax>>
    Technical Specifications >>

Pluggable Authentication Module (PAM)

We recommend the use of keyboard-interactive authentication with PAM.

When PAM is used, SSH Secure Shell transfers the control of authentication to the PAM library, which will then load the modules specified in the PAM configuration file. Finally, the PAM library tells SSH Secure Shell whether or not the authentication was successful. SSH Secure Shell is not aware of the details of the actual authentication method employed by PAM. Only the final result is of interest.

To enable PAM support, perform the following tasks:

  1. Compile the source: 
    ./configure
make
make install
    By default, the PAM service name is sshd2. If you want to change it, you can add the configure flag --with-daemon-pam-service-name=name.
  2. When using keyboard-interactive PAM submethod, make sure that you have the following lines in the /etc/ssh2/sshd2_config file: 
    AllowedAuthentications  keyboard-interactive
AuthKbdInt.Optional     pam
    And the following line in the /etc/ssh2/ssh2_config file: 
    AllowedAuthentications  keyboard-interactive
    In case you are not using keyboard-interactive, make sure that you have the following line in both your /etc/ssh2/sshd2_config file and /etc/ssh2/ssh2_config file: 
    AllowedAuthentications  pam-1@ssh.com

The PAM configuration settings are located either in /etc/pam.conf or in /etc/pam.d/sshd2. The modules are usually either in the /lib/security directory or in the /usr/lib/security directory. Currently, SSH Secure Shell supports PAM on Linux and on Solaris 2.6 or later.

There must be at least one auth, one account, and one session module in the configuration file. Otherwise the connection will be refused. Also, modules which require PAM_TTY will not work because TTY allocation is done in SSH Secure Shell after the authentication.

PAM Examples

The following are examples of different PAM configurations.

  1. The /etc/pam.d/sshd2 file on Red Hat Linux: 
    auth     required /lib/security/pam_pwdb.so shadow nullok
auth     required /lib/security/pam_nologin.so
account  required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
session  required /lib/security/pam_pwdb.so
  2. The /etc/pam.conf entry on Solaris: 
    sshd2  auth      required  /usr/lib/security/pam_unix.so debug 
sshd2  account   required  /usr/lib/security/pam_unix.so debug 
sshd2  password  required  /usr/lib/security/pam_unix.so debug
sshd2  session   required  /usr/lib/security/pam_unix.so debug

See Section Keyboard-Interactive Authentication for more information on keyboard-interactive authentication.

Note: SSH Communications Security does not provide technical support on how to configure PAM. Our support only covers SSH Secure Shell applications and source code.

Previous Next Up [Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2003 SSH Communications Security Corp.
All rights reserved.
Copyright Notice