6

I'm looking for a way to authenticate users using a public key which is stored in a db (MongoDB). Similar questions usually resulted with a suggestion to installed a patched version of OpenSSH (https://github.com/wuputahllc/openssh-for-git) which authenticates against a db (GitHub are using a patched version of OpenSSH).

I saw there is a PAM module to authenticate via MySQL, but it assumes a username/password authentication. I was wondering whether I can use some sort of a PAM module to authenticate using a public-key against a server.

EDITED: I need it for a git server where all users will be connecting via the 'git' username. There will be no specific username per user.

Improve this question
1
  • Did you ever manage to find a solution to work with PAM and public keys? Commented Aug 25, 2024 at 4:52

2 Answers 2

Reset to default
8

AuthorizedKeysCommand is what you need. It will require a decently new version of OpenSSH available and you to write a wrapper command that gets the key from the MongoDB database but it will not require you to patch OpenSSH.

And a link with more details about AuthorizedKeysCommand.

Improve this answer
3
  • Thanks. I forgot to mention the username is identical for all users (git). I've edited the question to explain. Commented May 1, 2014 at 23:10
  • Florin, I have openssh 1:6.6 on Ubuntu 14.04 and AuthorizedKeysCommand does not seem to be recognized. When I add it and restart my sshd, it says it running, but when I check listening ports, there's nothing listening on port 22, and all ssh requests are rejected. Any ideas? Commented May 22, 2014 at 17:07
  • Check /var/log/messages for errors immediately after restarting ssh. Commented May 22, 2014 at 19:03
6

SSH public key authentication is not implemented via PAM. It actually bypasses the PAM auth stack (but only auth), something which many administrators overlook.

Barring versions that support AuthorizedKeyCommand (as mentioned in Florin's answer), the only way to extend SSH public key auth is to patch either the daemon (public key lookups) or the client (private key lookups).

There are plenty of ways you can extend your authentication options via PAM, but modifying how SSH public key authentication works is not one of them.

Improve this answer
2
  • do we know if this is still the case and PAM has no ssh public key support? Commented Aug 25, 2021 at 17:58
  • is it possible to configure PAM to work with public keys for session management? I am looking to implement a key rotation based session manager Commented Aug 25, 2024 at 4:51

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.