[PATCH] Specify PAM Service name in sshd_config
Iain Morgan
imorgan at nas.nasa.gov
Tue May 14 10:29:01 EST 2013
On Mon, May 13, 2013 at 17:32:17 -0500, Iain Morgan wrote:
> On Mon, May 13, 2013 at 11:22:13 -0500, Schmidt, Kenneth P wrote:
> > Hello All,
> >
> > The attached patch allows openssh to specify which pam service name to
> > authenticate users against by specifying the PAMServiceName attribute in
> > the sshd_config file. Because the parameter can be included in the Match
> > directive sections, it allows different authentication based on the Match
> > directive. In our case, we use it to allow different levels of
> > authentication based on the source of the authentication attempts
> > (securID auth in untrusted zones, password auth in trusted zones). The
> > default is still to use the binary name.
> >
>
> Hello Ken,
>
> Do you anticipate using this primarily with PasswordAuthentication or
> ChallengeResponseAuthentication?
>
> There may be situations where it is desirable to use different PAM
> service names for each of these authentication methods. For example, it
> might be desirable to allow a choice of password or public-key
> authentication in conjunction with the use of a hardware token via
> AuthenticationMethods:
>
> AuthenticationMethods publickey,keyboard-interactive password,keyboard-interactive
>
> In such a scenario, you would probably want to use different PAM
> configurations for keyboard-interactive and password authentication.
> Keyboard-interactive would use a different PAM service name to implement
> the hardware token support, but you might still want password
> authentication to use PAM for failed login tracking, LDAP support, etc.
>
> Perhaps one apparoach would be to extend the submethod support which was
> recently added to AuthenticationMethods; adding an optional third
> parameter which (in the case of PAM) would specify the service name.
> Using the above AuthenticationMethods line as an example, the new
> (somewhat lenghty) line would be:
>
> AuthenticationMethods publickey,keyboard-interactive:pam:service password,keyboard-interactive:pam:service
>
> --
> Iain Morgan
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Please ignore what I said regarding extending submethod support in
AuthenticationMethods. We would still need a mechanism to specify the
alternative PAM service used by keyboard-interactive in cases where
AuthenticationMethods is not used.
However, I hsould note the following item which has been on the TODO
list for many years.
% grep 'PAM service' TODO
- Use different PAM service name for kbdint vs regular auth (suggest from
--
Iain Morgan
More information about the openssh-unix-dev
mailing list