[PATCH] Specify PAM Service name in sshd_config

Iain Morgan imorgan at nas.nasa.gov
Tue May 14 10:29:01 EST 2013 

On Mon, May 13, 2013 at 17:32:17 -0500, Iain Morgan wrote:
> On Mon, May 13, 2013 at 11:22:13 -0500, Schmidt, Kenneth P wrote:
> > Hello All,
> > 
> > The attached patch allows openssh to specify which pam service name to
> > authenticate users against by specifying the PAMServiceName attribute in
> > the sshd_config file.  Because the parameter can be included in the Match
> > directive sections, it allows different authentication based on the Match
> > directive.  In our case, we use it to allow different levels of
> > authentication based on the source of the authentication attempts
> > (securID auth in untrusted zones, password auth in trusted zones).  The
> > default is still to use the binary name.
> > 
> 
> Hello Ken,
> 
> Do you anticipate using this primarily with PasswordAuthentication or
> ChallengeResponseAuthentication?
> 
> There may be situations where it is desirable to use different PAM
> service names for each of these authentication methods. For example, it
> might be desirable to allow a choice of password or public-key
> authentication in conjunction with the use of a hardware token via
> AuthenticationMethods:
> 
> AuthenticationMethods publickey,keyboard-interactive password,keyboard-interactive
> 
> In such a scenario, you would probably want to use different PAM
> configurations for keyboard-interactive and password authentication.
> Keyboard-interactive would use a different PAM service name to implement
> the hardware token support, but you might still want password
> authentication to use PAM for failed login tracking, LDAP support, etc.
> 
> Perhaps one apparoach would be to extend the submethod support which was
> recently added to AuthenticationMethods; adding an optional third
> parameter which (in the case of PAM) would specify the service name.
> Using the above AuthenticationMethods line as an example, the new
> (somewhat lenghty) line would be:
> 
> AuthenticationMethods publickey,keyboard-interactive:pam:service password,keyboard-interactive:pam:service
> 
> -- 
> Iain Morgan
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Please ignore what I said regarding extending submethod support in
AuthenticationMethods. We would still need a mechanism to specify the
alternative PAM service used by keyboard-interactive in cases where
AuthenticationMethods is not used.

However, I hsould note the following item which has been on the TODO
list for many years.

% grep 'PAM service' TODO
 - Use different PAM service name for kbdint vs regular auth (suggest from

-- 
Iain Morgan

More information about the openssh-unix-dev mailing list