[Bug 2246] New: PAM enhancements for OpenSSH server
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Jun 19 00:42:55 EST 2014
https://bugzilla.mindrot.org/show_bug.cgi?id=2246
Bug ID: 2246
Summary: PAM enhancements for OpenSSH server
Product: Portable OpenSSH
Version: 6.6p1
Hardware: Sparc
OS: Solaris
Status: NEW
Severity: enhancement
Priority: P5
Component: PAM support
Assignee: unassigned-bugs at mindrot.org
Reporter: huieying.lee at oracle.com
Created attachment 2441
--> https://bugzilla.mindrot.org/attachment.cgi?id=2441&action=edit
pam_enhancements for OpenSSH server
We have implemented the following PAM enhancements for Solaris and we
would like to contribute back our implementations for these
enhancements:
1) Each SSHv2 userauth method has its own PAM service name so that PAM
can be used to control what userauth methods are allowed. This is for
protocol 2 only.
-----------------------------------------------
| SSHv2 Userauth | PAM Service Name |
-----------------------------------------------
| none | sshd-none |
-----------------------------------------------
| password | sshd-password |
-----------------------------------------------
| keyboard-interactive | sshd-kbdint |
-----------------------------------------------
| pubkey | sshd-pubkey |
-----------------------------------------------
| hostbased | sshd-hostbased |
-----------------------------------------------
| gssapi-with-mic | sshd-gssapi |
-----------------------------------------------
2) The PAMServiceName and PAMServicePrefix options in the server's
sshd_config configuration.
PAMServiceName
Specifies the PAM service name for the PAM session. The
PAMServiceName and PAMServicePrefix options are mutu-
ally exclusive and if both set, sshd does not start. If
this option is set the service name is the same for all
user authentication methods. The option has no default
value. See PAMServicePrefix for more information.
PAMServicePrefix
Specifies the PAM service name prefix for service names
used for individual user authentication methods. The
default is sshd. The PAMServiceName and PAMServicePre-
fix options are mutually exclusive and if both set,
sshd does not start.
For example, if this option is set to admincli, the
service name for the keyboard-interactive authentica-
tion method is admincli-kbdint instead of the default
sshd-kbdint.
Note that we understand that there is a bug in OpenSSH's bugzilla for
the PAMServiceName option already (bugid = 2102). The reason that it
is still listed here is to show the relationship between it and the
PAMServicePrefix option.
Attached is our implementation patch, which was applied to
OpenSSH6.5p1.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list