Debian specific system-wide setup
---------------------------------

As pam_ssh honours TMPDIR before spawning ssh-agent, namely
ssh-agent is asked to place its agent file in TMPDIR. pam_tmpdir
from the libpam-tmpdir Debian package can be used to set up TMPDIR
as follows:

  ...
  @include common-session
  session optional pam_tmpdir.so
  session optional pam_ssh.so
  ...

The libpam-ssh Debian package comes with three PAM configuration
profiles: /usr/share/pam-configs/ssh-{pwd,client,server}.
These PAM profiles are meant to be set up with pam-auth-update(8).
They exclude each other and are not mandatory. These PAM profiles
provide with the limitation of pam-auth-update(8) three basic
authentication schemes (see pam_ssh(8)):
 - the password oriented scheme (ssh-pwd) follows the default
   authentication scheme and uses the so obtained user password
   to decrypt the user SSH login keys;
 - the client oriented scheme (ssh-client) allows users to
   authenticate themselves with one of their SSH login keys,
   however users will not be prompted for a passphrase when the
   used password failed to decrypt any of their SSH login keys;
 - the server oriented scheme (ssh-server) is similar to the
   previous client oriented scheme (ssh-client) except that
	 users will be prompted for a SSH passphrases when the used
	 password failed to decrypt their SSH login keys, this scheme
	 needs a working ssh server (Debian package opennssh-server)
   with the option ChallengeResponseAuthentication set to yes
   (see sshd_config(5)).
Otherwise the three PAM profiles share the same session scheme
(see pam_ssh(8)): they initiate a SSH agent (ssh-agent(1)) and
pass any user SSH login key successfully decrypted during the
authentication phase and any SSH session key that can be
decrypted with the passwords and passphrases successfully
used during the aforementioned authentication phase.
The ssh-pwd PAM profile is set up by default. Superusers may
choose their favourite PAM profile or none of them by invoking
pam-auth-update(8). These PAM profiles actually examplify three
basic usages of the pam_ssh(8) PAM module. For more intricate
usages, superusers are invited to choose none of them by invoking
pam-auth-update(8) and to customize their PAM configuration files
in /etc/pam.d (pamd.d(5)). For this purpose the debug option
(see pam_ssh(8)) might be useful.

 -- Jerome Benoit <calculus@rezozer.net>, Tue, 28 Dec 2021 14:03:43 +0000