incomplete/insufficient logic for making access decisions

[Ivan Popov]

Hello,

There is a simple but sometimes important omission in access decision
logic in OpenSSH.

It checks against PAM for all authentication methods - it *is* good.
But it provides no means to distinguish, in PAM configuration,
which method has been used for the authentication.

It is sometimes crucial to be able to distinguish between different ways
of authentication, to make the right authorization (login access)
decision.

[e.g. to have allowed-accounts-lists per authentication type]

We have been running openssh for a long time with our own patches to add
different pam service names for different authentication modes,
but it definitely should belong to the mainstream code.

(no, our patches were against 2.*, of no use if I'd provide them)

We were running with "ssh-rsa" and "ssh-dcegss" style service names along
with "ssh", used for plain pam (i.e. password) authentication.

I see it as an important omission, that fortunately is easy to fix - let
it go different paths in pam account (authorization) management,
corresponding to different authentication paths.

Best regards,
and thanks for the great software!
--
Ivan