[openssh-commits] [openssh] branch master updated: add a sshd_config PamServiceName option
git+noreply at mindrot.org
git+noreply at mindrot.org
Fri Jun 14 14:21:01 AEST 2024
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
The following commit(s) were added to refs/heads/master by this push:
new b2c64bc1 add a sshd_config PamServiceName option
b2c64bc1 is described below
commit b2c64bc170d75823622a37cab3ca1804ca87ad16
Author: Damien Miller <djm at mindrot.org>
AuthorDate: Fri Jun 14 14:19:23 2024 +1000
add a sshd_config PamServiceName option
Allows selecting which PAM service name to use when UsePAM is
enabled. Defaults to "sshd" unless overridden at compile time
by defining SSHD_PAM_SERVICE.
bz2102, ok dtucker@
---
auth-pam.c | 13 ++++++-------
servconf.c | 22 +++++++++++++++++++++-
servconf.h | 2 ++
sshd_config.5 | 9 ++++++++-
4 files changed, 37 insertions(+), 9 deletions(-)
diff --git a/auth-pam.c b/auth-pam.c
index d6480237..2c1a8d3d 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -67,10 +67,6 @@
#include <pam/pam_appl.h>
#endif
-#if !defined(SSHD_PAM_SERVICE)
-# define SSHD_PAM_SERVICE "sshd"
-#endif
-
/* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */
#ifdef PAM_SUN_CODEBASE
# define sshpam_const /* Solaris, HP-UX, SunOS */
@@ -693,6 +689,8 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
const char **ptr_pam_user = &pam_user;
int r;
+ if (options.pam_service_name == NULL)
+ fatal_f("internal error: NULL PAM service name");
#if defined(PAM_SUN_CODEBASE) && defined(PAM_MAX_RESP_SIZE)
/* Protect buggy PAM implementations from excessively long usernames */
if (strlen(user) >= PAM_MAX_RESP_SIZE)
@@ -714,9 +712,10 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
pam_end(sshpam_handle, sshpam_err);
sshpam_handle = NULL;
}
- debug("PAM: initializing for \"%s\"", user);
- sshpam_err =
- pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
+ debug("PAM: initializing for \"%s\" with service \"%s\"", user,
+ options.pam_service_name);
+ sshpam_err = pam_start(options.pam_service_name, user,
+ &store_conv, &sshpam_handle);
sshpam_authctxt = authctxt;
if (sshpam_err != PAM_SUCCESS) {
diff --git a/servconf.c b/servconf.c
index 22afbede..5b32f0bf 100644
--- a/servconf.c
+++ b/servconf.c
@@ -69,6 +69,10 @@
#include "myproposal.h"
#include "digest.h"
+#if !defined(SSHD_PAM_SERVICE)
+# define SSHD_PAM_SERVICE "sshd"
+#endif
+
static void add_listen_addr(ServerOptions *, const char *,
const char *, int);
static void add_one_listen_addr(ServerOptions *, const char *,
@@ -88,6 +92,7 @@ initialize_server_options(ServerOptions *options)
/* Portable-specific options */
options->use_pam = -1;
+ options->pam_service_name = NULL;
/* Standard Options */
options->num_ports = 0;
@@ -291,6 +296,8 @@ fill_default_server_options(ServerOptions *options)
/* Portable-specific options */
if (options->use_pam == -1)
options->use_pam = 0;
+ if (options->pam_service_name == NULL)
+ options->pam_service_name = xstrdup(SSHD_PAM_SERVICE);
/* Standard Options */
if (options->num_host_key_files == 0) {
@@ -530,7 +537,7 @@ fill_default_server_options(ServerOptions *options)
typedef enum {
sBadOption, /* == unknown option */
/* Portable-specific options */
- sUsePAM,
+ sUsePAM, sPAMServiceName,
/* Standard Options */
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
@@ -583,8 +590,10 @@ static struct {
/* Portable-specific options */
#ifdef USE_PAM
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
+ { "pamservicename", sPAMServiceName, SSHCFG_ALL },
#else
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
+ { "pamservicename", sUnsupported, SSHCFG_ALL },
#endif
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
/* Standard Options */
@@ -1318,6 +1327,16 @@ process_server_config_line_depth(ServerOptions *options, char *line,
case sUsePAM:
intptr = &options->use_pam;
goto parse_flag;
+ case sPAMServiceName:
+ charptr = &options->pam_service_name;
+ arg = argv_next(&ac, &av);
+ if (!arg || *arg == '\0') {
+ fatal("%s line %d: missing argument.",
+ filename, linenum);
+ }
+ if (*activep && *charptr == NULL)
+ *charptr = xstrdup(arg);
+ break;
/* Standard Options */
case sBadOption:
@@ -3128,6 +3147,7 @@ dump_config(ServerOptions *o)
/* integer arguments */
#ifdef USE_PAM
dump_cfg_fmtint(sUsePAM, o->use_pam);
+ dump_cfg_string(sPAMServiceName, o->pam_service_name);
#endif
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
diff --git a/servconf.h b/servconf.h
index 8984e996..22b158d1 100644
--- a/servconf.h
+++ b/servconf.h
@@ -210,6 +210,7 @@ typedef struct {
char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
+ char *pam_service_name;
int permit_tun;
@@ -294,6 +295,7 @@ TAILQ_HEAD(include_list, include_item);
M_CP_STROPT(ca_sign_algorithms); \
M_CP_STROPT(routing_domain); \
M_CP_STROPT(permit_user_env_allowlist); \
+ M_CP_STROPT(pam_service_name); \
M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
M_CP_STRARRAYOPT(allow_users, num_allow_users); \
M_CP_STRARRAYOPT(deny_users, num_deny_users); \
diff --git a/sshd_config.5 b/sshd_config.5
index 11c341a9..b228e905 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1368,10 +1368,17 @@ and
key exchange methods.
The default is
.Pa /etc/moduli .
+.It Cm PAMServiceName
+Specifies the service name used for Pluggable Authentication Modules (PAM)
+authentication, authorisation and session controls when
+.Cm UsePAM
+is enabled.
+The default is
+.Cm sshd .
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
-.Cm yes .
+.Cm sshd .
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list