OpenSSH and PAM authentication using a public key

Question

I'm looking for a way to authenticate users using a public key which is stored in a db (MongoDB). Similar questions usually resulted with a suggestion to installed a patched version of OpenSSH (https://github.com/wuputahllc/openssh-for-git) which authenticates against a db (GitHub are using a patched version of OpenSSH).

I saw there is a PAM module to authenticate via MySQL, but it assumes a username/password authentication. I was wondering whether I can use some sort of a PAM module to authenticate using a public-key against a server.

EDITED: I need it for a git server where all users will be connecting via the 'git' username. There will be no specific username per user.

Answer 1

SSH public key authentication is not implemented via PAM. It actually bypasses the PAM auth stack (but only auth), something which many administrators overlook.

Barring versions that support AuthorizedKeyCommand (as mentioned in Florin's answer), the only way to extend SSH public key auth is to patch either the daemon (public key lookups) or the client (private key lookups).

There are plenty of ways you can extend your authentication options via PAM, but modifying how SSH public key authentication works is not one of them.

Answer 2

AuthorizedKeysCommand is what you need. It will require a decently new version of OpenSSH available and you to write a wrapper command that gets the key from the MongoDB database but it will not require you to patch OpenSSH.

And a link with more details about AuthorizedKeysCommand.