[PATCH] Specify PAM Service name in sshd_config
Schmidt, Kenneth P
kenneth.schmidt at pnnl.gov
Thu May 16 03:43:35 EST 2013
On 5/14/13 5:01 p.m., "Jan Pechanec" <jan.pechanec at oracle.com> wrote:
>On Mon, 13 May 2013, Iain Morgan wrote:
>
>>Please ignore what I said regarding extending submethod support in
>>AuthenticationMethods. We would still need a mechanism to specify the
>>alternative PAM service used by keyboard-interactive in cases where
>>AuthenticationMethods is not used.
>
> Iain, aside from PAMServiceName, we have implemented
>PAMServicePrefix in Solaris so that admins can use different PAM service
>names for different auth methods:
>
> PAMServicePrefix
>
> Specifies the PAM service name prefix for service names
> used for individual user authentication methods. The
> default is sshd. The PAMServiceName and PAMServicePrefix
> options are mutually exclusive and if both set, sshd
> does not start.
>
> For example, if this option is set to admincli, the ser-
> vice name for the keyboard-interactive authentication
> method is admincli-kbdint instead of the default sshd-
> kbdint.
>
> J.
>
>>However, I hsould note the following item which has been on the TODO
>>list for many years.
>>
>>% grep 'PAM service' TODO
>> - Use different PAM service name for kbdint vs regular auth (suggest
>>from
>>
>>
>
>--
>Jan Pechanec <jan.pechanec at oracle.com>
Why not just use the PAMServiceName and use a Flag to indicate that the
authentication method should be appended to the PAM service? So something
like
PAMServiceName admincli
PAMAppendAuthMethod yes
would be admincli-kbdint. That way both the pam service and the auth
method could be specified without worrying about the options being
mutually exclusive and preventing a possible invalid configuration to be
specified.
More information about the openssh-unix-dev
mailing list