[PATCH] Specify PAM Service name in sshd_config

Schmidt, Kenneth P kenneth.schmidt at pnnl.gov
Fri May 17 01:52:42 EST 2013



On 5/15/13 12:36 p.m., "Ben Lindstrom" <mouring at eviladmin.org> wrote:

>
>On May 15, 2013, at 2:03 PM, Jan Pechanec <jan.pechanec at oracle.com> wrote:
>
>> On Wed, 15 May 2013, Schmidt, Kenneth P wrote:
>[..]
>>> Why not just use the PAMServiceName and use a Flag to indicate that the
>>> authentication method should be appended to the PAM service?  So
>>>something
>>> like 
>>> 
>>> PAMServiceName	admincli
>>> PAMAppendAuthMethod	yes
>>> 
>>> would be admincli-kbdint.  That way both the pam service and the auth
>>> method could be specified without worrying about the options being
>>> mutually exclusive and preventing a possible invalid configuration to
>>>be
>>> specified.
>> 
>> 	I personally think it's more complicated since you'd always need
>> both options' values to figure out what will be the PAM service name,
>> either explicitly stated in the config file or their implicit default
>> value(s). J.
>
>
>Personally think Mr Morgan's solution is more elegant as there is a single
>configuration and no conflicting options.
>
>- Ben
>_______________________________________________
>openssh-unix-dev mailing list
>openssh-unix-dev at mindrot.org
>https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

I agree.  I will code something up and submit a new patch that allows
macros.  I don't know what values are available at the point of
authentication, but it looks like anything in the authentication context
and global options are easily available.  I will start with the
executable, the authentication method, and the server port initially and
see if there are any other options we want to add later.



More information about the openssh-unix-dev mailing list