[Bug 2246] PAM enhancements for OpenSSH server
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Nov 6 12:42:14 EST 2014
https://bugzilla.mindrot.org/show_bug.cgi?id=2246
--- Comment #4 from huieying.lee at oracle.com ---
I have completed the implementation of the new "PAMServiceName" option
that you suggested. I also fixed the PAM state problem that Damier
brought up in July and fixed the pam_acct_mgmt() problem I discovered
myself.
Attached is the new PAMServiceName implementation patch. Could you
please review it and let me know if there are any problems ? We really
want to keep our OpenSSH deliverables as close to the upstream as
possible; if possible, could you please let us know at your earliest
convenience as we are trying to complete our current release which we
strive to be in-sync with the future OpenSSH release.
For your reference, this new PAMServiceName option is documented in the
sshd_config man page as below:
-----------------------------------------------------------------------
PAMServiceName
Specifies the PAM service name for the PAM session. The valid
arguments are "service_name" or "service_name-%m".
1) PAMServiceName service_name
Specifies the PAM service for all user authentications,
where "service_name" is the PAM service name. For
example, if "PAMServiceName mysshd" is specified, then
"mysshd" is the PAM service name for all user
authentications.
2) PAMServiceName service_name-%m
This option only applies to SSH protocol 2.
With "-%m", each user authentication type has its own PAM
service name.
For example, if "PAMServiceName sshd-%m" is specified,
then the pam service name is expanded to sshd-pubkey for
public key authentication, to sshd-kbdint for
keyboard- interactive authentication, and so on.
SSHv2 Userauth Expanded PAMServiceName
-------------- -----------------------
none sshd-none
password sshd-password
keyboard-interactive sshd-kbdint
publickey sshd-pubkey
hostbased sshd-hostbased
gssapi-with-mic sshd-gssapi
If "PAMServiceName mysshd-%m" is specified, then the PAM
service name is expanded to mysshd-pubkey for public key
authentication, to mysshd-kbdint for keyboard-interactive
authentication, and so on.
SSHv2 Userauth Expanded PAMServiceName
-------------- -----------------------
none mysshd-none
password mysshd-password
keyboard-interactive mysshd-kbdint
publickey mysshd-pubkey
hostbased mysshd-hostbased
gssapi-with-mic mysshd-gssapi
3) If "PAMServiceName service_name" or
"PAMServiceName service_name-%m" is not specified, then
"sshd" is the PAM service name for all user
authentications.
Note that this matches well with the current OpenSSH
default behavior.
-----------------------------------------------------------------------
Thanks,
Huie-Ying Lee
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list