| PAM_SSH(8) | System Manager's Manual | PAM_SSH(8) | 
pam_ssh —
auth” and
  “session” features.
pam_sm_authenticate()), by prompting the user
  for a passphrase and verifying that it can decrypt the target user's SSH key
  using that passphrase.
The following options may be passed to the authentication module:
use_first_passtry_first_passuse_first_pass
      option, except that if the previously obtained password fails, the user is
      prompted for another password.nullokpam_sm_open_session()) and terminate
  (pam_sm_close_session()) sessions. The
  pam_sm_open_session() function starts an SSH agent,
  passing it any private keys it decrypted during the authentication phase, and
  sets the environment variables the agent specifies. The
  pam_sm_close_session() function kills the previously
  started SSH agent by sending it a SIGTERM.
The following options may be passed to the session management module:
want_agentpam_ssh module was originally written by
  Andrew J. Korty
  <ajk@iu.edu>. The current
  implementation was developed for the FreeBSD Project
  by ThinkSec AS and NAI Labs, the Security Research Division of Network
  Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
  (“CBOSS”), as part of the DARPA CHATS research program. This
  manual page was written by Mark R V Murray
  <markm@FreeBSD.org>.
pam_ssh module implements what is fundamentally a
  password authentication scheme. Care should be taken to only use this module
  over a secure session (secure TTY, encrypted session, etc.), otherwise the
  user's SSH passphrase could be compromised.
Additional consideration should be given to the use of
    pam_ssh. Users often assume that file permissions
    are sufficient to protect their SSH keys, and thus use weak or no
    passphrases. Since the system administrator has no effective means of
    enforcing SSH passphrase quality, this has the potential to expose the
    system to security risks.
| December 16, 2011 | NetBSD 10.0 |