[Bug 2246] PAM enhancements for OpenSSH server

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Nov 6 12:42:14 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2246

--- Comment #4 from huieying.lee at oracle.com ---
I have completed the implementation of the new "PAMServiceName" option
that you suggested.  I also fixed the PAM state problem that Damier
brought up in July and fixed the pam_acct_mgmt() problem I discovered
myself.

Attached is the new PAMServiceName implementation patch.  Could you
please review it and let me know if there are any problems ?  We really
want to keep our OpenSSH deliverables as close to the upstream as
possible; if possible, could you please let us know at your earliest
convenience as we are trying to complete our current release which we
strive to be in-sync with the future OpenSSH release. 

For your reference, this new PAMServiceName option is documented in the
sshd_config man page as below:

-----------------------------------------------------------------------
PAMServiceName

      Specifies the    PAM service name for the PAM session. The valid 
          arguments are "service_name" or "service_name-%m".

          1) PAMServiceName service_name

             Specifies the PAM service for all user authentications,  
             where "service_name" is the PAM service name.  For   
             example, if "PAMServiceName mysshd" is specified, then     
             "mysshd" is the PAM service name for all user
             authentications.

          2) PAMServiceName service_name-%m

             This option only applies to SSH protocol 2. 

             With "-%m", each user authentication type has its own PAM
             service name. 

             For example, if "PAMServiceName sshd-%m" is specified,
             then the pam service name is expanded to sshd-pubkey for
             public key authentication, to sshd-kbdint for
             keyboard- interactive authentication, and so on.

               SSHv2 Userauth         Expanded PAMServiceName
               --------------         -----------------------
               none                   sshd-none
               password               sshd-password
               keyboard-interactive   sshd-kbdint
               publickey              sshd-pubkey
               hostbased              sshd-hostbased
               gssapi-with-mic        sshd-gssapi

             If "PAMServiceName mysshd-%m" is specified, then the PAM
             service name is expanded to mysshd-pubkey for public key
             authentication, to mysshd-kbdint for keyboard-interactive
             authentication, and so on.

               SSHv2 Userauth         Expanded PAMServiceName
               --------------         -----------------------
               none                   mysshd-none
               password               mysshd-password
               keyboard-interactive   mysshd-kbdint
               publickey              mysshd-pubkey
               hostbased              mysshd-hostbased
               gssapi-with-mic        mysshd-gssapi


          3) If "PAMServiceName service_name" or 
         "PAMServiceName service_name-%m" is not specified, then 
             "sshd" is the PAM service name for all user 
             authentications.

             Note that this matches well with the current OpenSSH 
             default behavior.
-----------------------------------------------------------------------

Thanks,
Huie-Ying Lee

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list