[PATCH] Specify PAM Service name in sshd_config

Schmidt, Kenneth P kenneth.schmidt at pnnl.gov
Tue May 14 08:32:21 EST 2013



On 5/13/13 2:16 p.m., "Flavien Lebarbe" <flavien-ssh at lebarbe.net> wrote:

>> The attached patch allows openssh to specify which pam service name to
>> authenticate users against by specifying the PAMServiceName attribute in
>> the sshd_config file.  Because the parameter can be included in the
>>Match
>> directive sections, it allows different authentication based on the
>>Match
>> directive.  In our case, we use it to allow different levels of
>> authentication based on the source of the authentication attempts
>> (securID auth in untrusted zones, password auth in trusted zones).  The
>> default is still to use the binary name.
>
>Have a look at this thread :
>http://thread.gmane.org/gmane.network.openssh.devel/9576
>
>My old attempt at solving the same issue is now 10 years old. Oh well...
>http://article.gmane.org/gmane.network.openssh.devel/4247
>
>
>Hope this helps,
>
>Flavien.

Its obvious there is a desire for the configuration option.  Why hasn't it
been added?  It is considerably easier to add a single configuration
option than it is to play tricks with the binary and firewall rules to
allow separate authentication methods.  With our configuration management
system, It is trivial to add a line to the sshd_config, but I would have
to write a script to check for a link to the binary and add some firewall
rules, not to mention the documentation that would be needed to explain
the round about setup.

Combined with the Match directive, the PamServiceName directive is a more
flexible setup that doesn't require multiple running binaries.  In fact,
you can do things you can't with the binary link such as having different
authentication systems based on the user logging in. For example, one
group could authenticate locally, and another group can authenticate to
kerberos.



More information about the openssh-unix-dev mailing list