[Bug 2246] PAM enhancements for OpenSSH server
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Jul 3 12:24:07 EST 2014
https://bugzilla.mindrot.org/show_bug.cgi?id=2246
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
I think it would be better to support a couple of %-escapes in
PAMServiceName. E.g.
PAMServiceName sshd-%m
where %m is replaced with the authentication method in use. Some others
for port number and interface address might make sense too.
Also, I don't think the proposed patch is correct - there is state in
auth-pam.c that should be stored separately per service name.
E.g. a PAM stack for password auth might set sshpam_account_status.
Later, a different authentication method might be tried resulting in a
different PAM stack being executed, but this cached value will still be
preferentially used. This could allow access inappropriately (or
vice-versa)
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list