I just dug more deeply into this problem. First problem: I found that pam_sshauth reads /etc/ssh/ssh_known_hosts, which is not mentioned in manual page and I was not able to figure auth which known_hosts file is used. I had to have a look into source code.
Second problem: pam_sshauth seems not to write anything into /etc/ssh/ssh_known_hosts although manual page states that "If contacting a host for which we don't have an entry in known_hosts, ask, via the pam prompts, if you'd like to trust this host, and add it to your known_hosts file. The default will be to fail the authentication." I interpret this information as it should add the host into ssh_known_hosts when I say "yes". But there is nothing about saving the host key in pam_sshauth's source code. Third and main problem: pam_sshauth does not work with hashed known_hosts entries, which is default behavior in Debian Jessie (at least, I don't know the situation in previous releases). If I create /etc/ssh/ssh_known_hosts manually using the following command, it works: ssh-keyscan X.X.X.X > /etc/ssh/ssh_known_hosts But this (which is Debian Jessie default) does not work (host name/address output is hashed) - pam_sshauth ignore these entries: ssh-keyscan -H X.X.X.X > /etc/ssh/ssh_known_hosts -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

