_define () { read -r -d '' ${1} || true } _define _CAVEAT_PRE_2_0 <<-'EOF' CAVEAT EMPTOR: Backward incompatible change, requires manual intervention: (See the abridged README and Changelog below). To sum up: . The "keyfiles" option has been removed. You should edit your /etc/pam.d/??? and remove it. . If ~/.ssh/id_(ed25519|(r|d|ecd)sa) exist, those will be used. . The module now also tries to authenticate against keys located in ~/.ssh/login-keys.d/ (can be symlinks to the actual keys). . Additional keys in ~/.ssh/session-keys.d/ will be loaded too. Excerpt from pam_ssh 2.0 README: Per-user setup -------------- pam_ssh will try to decrypt the traditional SSH keys, that is, files matching $HOME/.ssh/id_(ed25519|(r|d|ecd)sa). pam_ssh will also try to decrypt all keys in the directories $HOME/.ssh/login-keys.d and $HOME/.ssh/session-keys.d, and (if your system administrator has configured your system thus) allow you to log in using any of these login keys. So if you want to log in by using an SSH key passphrase, you should create a login-keys.d directory and in this directory create (symbolic links to) all the keys you want to use as login keys. Nevertheless keys in the directory $HOME/.ssh/login-keys.d with .disabled or .frozen as suffix are ignored. The handling for keys in $HOME/.ssh/session-keys.d is similar bot those are not used for login purposes. Excerpt from pam_ssh 2.0 Changelog: Version 2.0 released ==================== 2013-11-17 Wolfgang Rosenauer * pam_ssh.c: search additional keys in directory session-keys.d Users having alternative keys (non-default names) and want them unlocked at login with the passphrase and added to the agent can now put or link them into .ssh/session-keys.d directory 2013-11-10 Wolfgang Rosenauer [...] * pam_get_pass.c, pam_get_pass.h, pam_ssh.c: [...] Look for SSH keys in $HOME/.ssh/login-keys.d/, given that SSH keys with .disabled or .frozen as suffix are ignored. "keyfiles" option has been removed EOF _is_older_than_2_0 () { local pkg_ver="$1" test $(vercmp "$pkg_ver" '2.0') -lt 0 } post_upgrade () { local new_pkg_ver="$1" # not used local old_pkg_ver="$2" if _is_older_than_2_0 $old_pkg_ver; then echo "$_CAVEAT_PRE_2_0" fi }