openssh-9.9p1 problem with faillock pam module
anctop
anctop at gmail.com
Tue Nov 12 23:39:42 AEDT 2024
Dear developers,
Our server implements two SSH services on ports 22 & 8022, with
different PAM settings.
The daemon is built from source of OpenSSH portable releases.
Following the instructions in the INSTALL file, we made a copy of
"<prefix>/sbin/sshd" (for port 22) as "<prefix>/sbin/sshd2" (for port
8022), created a separate "sshd2_config" file, and added corresponding
commands for service "sshd2" in "/etc/pam.conf".
We use the "faillock" PAM module with tally directories
"/etc/security/sshd" and "/etc/security/sshd2" for "sshd" and "sshd2"
respectively.
This approach worked well for release 9.3p1, but a problem is
identified with release 9.9p1.
Normally when a user logs in via "ssh -p 8022 <user>@<host>", his
tally "/etc/security/sshd2/<user>" will be updated.
However, running release 9.9p1, it is found that the tally
"/etc/security/sshd/<user>" is updated instead.
We have also tried to rebuild a binary for "sshd2" with the option
"--with-pam-service=sshd2", but it did not help.
It seems that release 9.9p1 does not use the binary filename as the
PAM service name, but sticks to "sshd" for all instances.
Please kindly advise.
More information about the openssh-unix-dev
mailing list