OpenSSH public key problem with Solaris 10

Darren Tucker dtucker at zip.com.au
Sat Jul 1 15:14:52 EST 2006


On Fri, Jun 30, 2006 at 10:55:35AM -0500, Douglas E. Engert wrote:
> The Solaris 10 sshd has a nice PAM feature, in that it
> will use a different pam service name  depending on the auth used.
> For example: sshd-password, sshd-kdbint, sshd-pubkey, sshd-gssapi ...
> The sshd_config can override these too.
> 
> Thus you can skip the pam_krb5 for pubkey.
> 
> OpenSSH might want to consider a similiar feature.

I've seen that mentioned earlier (here or elsewhere) and it's also
been listed in OpenSSH's TODO file for a long time (originally from
Solar Designer).  It's not a bad idea, but the catch is that it would
require either another compile or run time button and/or a migration
hassle.

This is because there's no (sane) way to tell which PAM services are
available: pam_get_item(handle, PAM_SERVICE, [...]) will return the
service name you asked for, not the service name that you actually got
(which makes it kinda useless, since you already know what you asked
for).

Thus there is no way to, eg, try "sshd-kbdint" and fall back to "sshd"
if it's not available (in the first instance you'll get the "other"
service but have no way of knowing it).

This is the case on at least Sun and LinuxPAM implementations.  You can
confirm this behaviour on other platforms with my PAM test tool:
http://www.zip.com.au/~dtucker/patches/#pamtest

$ sudo ./pam-test-harness -s some-random-service
[...]
pam_start(some-random-service, (NULL), &conv, &pamh) = 0 (Success)
pam_get_item(pamh, PAM_SERVICE, ...) = 0 (Success)
    PAM_SERVICE = some-random-service (unchanged)

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list