[Bug 2246] PAM enhancements for OpenSSH server

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Jul 3 12:24:07 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2246

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
I think it would be better to support a couple of %-escapes in
PAMServiceName. E.g.

PAMServiceName sshd-%m

where %m is replaced with the authentication method in use. Some others
for port number and interface address might make sense too.

Also, I don't think the proposed patch is correct - there is state in
auth-pam.c that should be stored separately per service name.

E.g. a PAM stack for password auth might set sshpam_account_status.
Later, a different authentication method might be tried resulting in a
different PAM stack being executed, but this cached value will still be
preferentially used. This could allow access inappropriately (or
vice-versa)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list