[PATCH] Specify PAM Service name in sshd_config

Iain Morgan imorgan at nas.nasa.gov
Thu May 16 04:09:40 EST 2013 

On Wed, May 15, 2013 at 12:43:35 -0500, Schmidt, Kenneth P wrote:
> 
> 
> On 5/14/13 5:01 p.m., "Jan Pechanec" <jan.pechanec at oracle.com> wrote:
> 
> >On Mon, 13 May 2013, Iain Morgan wrote:
> >
> >>Please ignore what I said regarding extending submethod support in
> >>AuthenticationMethods. We would still need a mechanism to specify the
> >>alternative PAM service used by keyboard-interactive in cases where
> >>AuthenticationMethods is not used.
> >
> >	Iain, aside from PAMServiceName, we have implemented
> >PAMServicePrefix in Solaris so that admins can use different PAM service
> >names for different auth methods:
> >
> >     PAMServicePrefix
> >
> >         Specifies the PAM service name prefix for service  names
> >         used  for  individual  user  authentication methods. The
> >         default is sshd. The PAMServiceName and PAMServicePrefix
> >         options  are  mutually  exclusive  and if both set, sshd
> >         does not start.
> >
> >         For example, if this option is set to admincli, the ser-
> >         vice  name  for  the keyboard-interactive authentication
> >         method is admincli-kbdint instead of the  default  sshd-
> >         kbdint.
> >
> >	J.
> >
> >>However, I hsould note the following item which has been on the TODO
> >>list for many years.
> >>
> >>% grep 'PAM service' TODO
> >> - Use different PAM service name for kbdint vs regular auth (suggest
> >>from
> >>
> >>
> >
> >-- 
> >Jan Pechanec <jan.pechanec at oracle.com>
> 
> Why not just use the PAMServiceName and use a Flag to indicate that the
> authentication method should be appended to the PAM service?  So something
> like 
> 
> PAMServiceName	admincli
> PAMAppendAuthMethod	yes
> 
> would be admincli-kbdint.  That way both the pam service and the auth
> method could be specified without worrying about the options being
> mutually exclusive and preventing a possible invalid configuration to be
> specified.
> 

Hmm, what if PAMServiceName supported some % macros? Some candidates
would be %c for the executable, %m for the authentication method, and %p
for the server port.

This would allow something like:

	PAMServiceName	%c-%m

or

	PAMServiceName	admincli-%m

-- 
Iain Morgan

More information about the openssh-unix-dev mailing list