[Bug 2980] New: New feature: Configure PAM Service Name in sshd_config

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Mar 14 08:43:45 AEDT 2019


            Bug ID: 2980
           Summary: New feature: Configure PAM Service Name in sshd_config
           Product: Portable OpenSSH
           Version: -current
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: corvuscorax at cybertrench.com

Created attachment 3252
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3252&action=edit
Patch to openssh-portable implementing above feature

I ran into a problem setting up 2 factor authentication with
OpenSSH-portable and PAM.

The issue is, although openssh uses several different authentication
mechanisms with different interaction capabilities, each of which use
PAM as a backend, there is only a single service name, and as such only
a single PAM configuration that needs to serve all of them.

This isn't flexible enough for more complex usecases. A detailed
explanation of the problem and possible workarounds is here:


The proper way of solving this is IMHO a more flexible way to interact
with PAM, using a configurable PAMServiceName, which then can be
overridden in Match directives based on remote host, user, ...

Since both PasswordAuthentication and ChallengeResponseAuthentication
use PAM, it also makes sense to have a separate PasswordPAMServiceName,
allowing a different PAM service configuration for this non-interactive

I took the liberty of implementing this suggestion.

>From the man-page:

             Specifies the service identifier to be used for
             pluggable authentication modules (PAM).  If set to
             none, the sshd executable name (usually sshd) is
             used.  If set to name, authentication options can be
             configured in a matching file in /etc/pam.d/name.
             The default is none.

             Specifies the service identifier to be used for
             pluggable authentication modules (PAM) for
             PasswordAuthentication only. This is only used for
             the authentication (auth) PAM aspect. For account
             and session management, as well as
             ChallengeResponseAuthentication, the service name
             set in PAMServiceName is applied. This can be help‐
             ful to implement 2 factor authentication.  Example:

                   PAMServiceName sshd_2factor
                   PasswordPAMServiceName sshd_password

             In this example, the challenge response authentica‐
             tion would ask the user for the second factor, for
             example an OATH token, while the first factor could
             be either provided by ssh-key or password. This
             requires two different PAM configurations to be
             used, in this example /etc/pam.d/sshd_2factor and
             /etc/pam.d/sshd_password. If set to none, the value
             of PAMServiceName is used.  The default is none.

I also filed a pull request on github under:


the very same patch is also attached below. I wasn't sure which is the
preferred channel to contribute to this project.

I'm looking forward to your feedback :-)



You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list