SSHAuth Plugin Documentation
- Plugin Name: SSHAuth
- Plugin Type: Authentication
- Version: 3.9.9.5
- Author: David Dumas
How the SSHAuth Plugin Works
The SSHAuth plugin provides pGina services using an SSH server as a data source. The plugin connects to the SSH server and attempts to authenticate as the given user with the “password” authentication method. It is not necessary for the user to be able to open an actual shell or execute commands on the SSH server, but note that SSH authentication stage will return failure if the user shell is set to “/sbin/nologin”.
Known issues
- Many SSH servers do not support the “password” authentication method and instead use “keyboard-interactive” to ask for the user’s password. However, this plugin does not support “keyboard-interactive” authentication.
- The plugin uses the first address returned by getaddrinfo. Therefore, if a name resolution attempt for the given SSH hostname returns multiple addresses (e.g. IPV4 and IPV6), the plugin will only function as intended if a connect attempt usign the first address returned is successful.
- Password change is not supported and would be complicated/fragile to implement by this method.
Configuration
The configuration options for the SSHAuth plugin are described below:
- Host - SSH server. This field supports IP addresses or fully qualified domain names.
- Port - The port used when connecting to the SSH server. Typically, this is 22. This string is passed directly to getaddrinfo, hence service names known to windows are also accepted (e.g. “ssh”).
Author
This SSHAuth plugin for pGina 3.x was developed by David Dumas david@dumas.io.
This plugin was inspired by a pGina 1.x and 2.x plugin also named SSHAuth developed by Ahmed Obied. However, due to the significant plugin interface changes for pGina 3.x, this plugin was developed from scratch rather than being derived from that codebase.