Changing PAM service name in sshd_config, or running sshd as non-root
Michael Tokarev
mjt at tls.msk.ru
Thu Mar 27 03:25:25 EST 2003
Currently, openssh's PAM service name is a compile-time choice.
That's fine when one uses one sshd to serve normal shell logins
and the like. But this will not work IF sshd is nor run as
root (which I don't want it to do), because pam_open_session
usually requires access to one's shadow information (for account
expiration perhaps?), and there is no way (and need: this sshd
is installed to handle a specific task (or a set of tasks, really),
where NO pam work is needed at all - to only allow port forwarding
for several authorized (via keys) parties, something like tunnels -
just to give an example) to give this information to a non-root
process. So, sshd fails:
debug1: ssh_rsa_verify: signature correct
PAM rejected by account configuration[9]: Authentication service cannot retrieve authentication info.
Accepted publickey for mjt from 127.0.0.1 port 1101 ssh2
Failed publickey for mjt from 127.0.0.1 port 1101 ssh2
(note the order of messages - PAM failure first, pubkey acceptance
is second).
So, that to say - why there is no e.g. PamServiceName configuration
option in sshd_config?
Thanks.
/mjt
More information about the openssh-unix-dev
mailing list