[Bug 2246] PAM enhancements for OpenSSH server

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Aug 14 12:17:56 EST 2014


--- Comment #2 from huieying.lee at oracle.com ---
Thank you for the evaluation and suggestion.  I would like to confirm
with you for the following three items:

1) PAMServiceName sshd-%m

I interpreted your suggestion for this option as following:

The value of the PAMServiceName option can be specified as
"service_name" or "service_name-%m"

a) PAMServiceName service_name

   Only one PAM service for all user authentications with
"service_name" as the PAM service name.

b) PAMServiceName service_name-%m

   An administrator can use this option for SSHv2, so that each
userauth type has it own PAM service name.  For example, if
"PAMServiceName sshd-%m" is specified, then the pam service name will
be expanded to sshd-password, ssh-kbdint, sshd-pubkey, sshd-hostbased
and sshd-gssapi respectively for the password, keyboard-interactive,
pubkey, hostbased and gssapi-with-mic authauth methods.

   This applies to SSH protocol 2 only.

c) If the "PAMServiceName" option is not specified in the sshd_config
file, then it defaults to "PAMServiceName sshd", which means that there
is only one PAM service and the server name is "sshd".  Note that this
matches the current OpenSSH default behavior.

Is my interpretation correct ?

2) The PAM state problem in the proposed patch 

You are right that there may be some state problems in the case of
"each SSHv2 userauth method has its own PAM service name" situation. 

Although the PAM service will be invoked many times in this case, they
are invoked sequentially and there will be always only one pam_handle
at any moment. Therefore, we can resolve this problem by cleaning up
PAM stuff, calling pam_end(), before invoking a new PAM service.  And
the PAM state can be stored in the those static variables in
for examples, 

static pam_handle_t *sshpam_handle = NULL;
static int sshpam_err = 0;
static int sshpam_authenticated = 0;
static int sshpam_account_status = -1;
static char **sshpam_env = NULL;

3) The pam_acct_mgmt problem in the patch

While checking into the state problem,  I also found another problem in
the patch.  The pam_acct_mgmt() should be called also for each userauth
method if each userauth method has its own PAM service.  I will fix
this problem and submit another patch later.

Note that pam_setcred() and pam_open_session() do not need to be called
for each userauth method.  They can be called after all the userauth
methods are processed, as long as there is a valid pam_handle.

You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list