[Bug 2246] New: PAM enhancements for OpenSSH server

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Jun 19 00:42:55 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2246

            Bug ID: 2246
           Summary: PAM enhancements for OpenSSH server
           Product: Portable OpenSSH
           Version: 6.6p1
          Hardware: Sparc
                OS: Solaris
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: huieying.lee at oracle.com

Created attachment 2441
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2441&action=edit
pam_enhancements for OpenSSH server

We have implemented the following PAM enhancements for Solaris and we
would like to contribute back our implementations for these
enhancements:

1) Each SSHv2 userauth method has its own PAM service name so that PAM
can be used to control what userauth methods are allowed.  This is for
protocol 2 only. 

     -----------------------------------------------
     | SSHv2 Userauth       | PAM Service Name     |
     -----------------------------------------------
     | none                 | sshd-none            |
     -----------------------------------------------
     | password             | sshd-password        |
     -----------------------------------------------
     | keyboard-interactive | sshd-kbdint          |
     -----------------------------------------------
     | pubkey               | sshd-pubkey          |
     -----------------------------------------------
     | hostbased            | sshd-hostbased       |
     -----------------------------------------------
     | gssapi-with-mic      | sshd-gssapi          |
     -----------------------------------------------


2) The PAMServiceName and PAMServicePrefix options in the server's
sshd_config configuration.

     PAMServiceName
          Specifies the PAM service name for the PAM session. The
          PAMServiceName  and  PAMServicePrefix options are mutu-
          ally exclusive and if both set, sshd does not start. If
          this option is set the service name is the same for all
          user authentication methods. The option has no  default
          value. See PAMServicePrefix for more information.

     PAMServicePrefix
          Specifies the PAM service name prefix for service names
          used  for  individual  user authentication methods. The
          default is sshd. The PAMServiceName and  PAMServicePre-
          fix  options  are  mutually  exclusive and if both set,
          sshd does not start.

          For example, if this option is  set  to  admincli,  the
          service  name  for the keyboard-interactive authentica-
          tion method is admincli-kbdint instead of  the  default
          sshd-kbdint.


Note that we understand that there is a bug in OpenSSH's bugzilla for
the PAMServiceName option already (bugid = 2102).  The reason that it
is still listed here is to show the relationship between it and the
PAMServicePrefix option.

Attached is our implementation patch, which was applied to
OpenSSH6.5p1.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list