Changing PAM service name in sshd_config, or running sshd as non-root

Michael Tokarev mjt at
Thu Mar 27 03:25:25 EST 2003

Currently, openssh's PAM service name is a compile-time choice.
That's fine when one uses one sshd to serve normal shell logins
and the like.  But this will not work IF sshd is nor run as
root (which I don't want it to do), because pam_open_session
usually requires access to one's shadow information (for account
expiration perhaps?), and there is no way (and need: this sshd
is installed to handle a specific task (or a set of tasks, really),
where NO pam work is needed at all - to only allow port forwarding
for several authorized (via keys) parties, something like tunnels -
just to give an example) to give this information to a non-root
process.  So, sshd fails:

debug1: ssh_rsa_verify: signature correct
PAM rejected by account configuration[9]: Authentication service cannot retrieve authentication info.
Accepted publickey for mjt from port 1101 ssh2
Failed publickey for mjt from port 1101 ssh2

(note the order of messages - PAM failure first, pubkey acceptance
is second).

So, that to say - why there is no e.g. PamServiceName configuration
option in sshd_config?



More information about the openssh-unix-dev mailing list