[Bug 2980] New feature: Configure PAM Service Name in sshd_config

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Mar 14 11:02:22 AEDT 2019


https://bugzilla.mindrot.org/show_bug.cgi?id=2980

--- Comment #1 from Eric Price <corvuscorax at cybertrench.com> ---
I did some digging in the bug database and the dev mailing list.
Looks like I'm not the first person in need of that feature.

A first implementation was first suggested on the dev mailinglist
2 decades ago:

https://marc.info/?l=openssh-unix-dev&m=95840880026194&w=2

with code provided and a configurable flag PAMService in sshd_config

This was in OpenSSH 1.1, so no support for multiple AuthMethods, and no
support for Match directives, since OpenSSH didn't have that yet.

-- There was no followup discussion on the mailing list and the patch
was never included in the codebase.

Then there is a bug from 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=2102
with multiple implementations which has been marked as a duplicate of
https://bugzilla.mindrot.org/show_bug.cgi?id=2246

This implemnentation takes a different route and assigns a prefix with
a suffix for every single auth mechanism - including those that do not
even use PAM for the auth procedure but only for session and account
maintenance.

IMHO that is overkill, and lead to a interesting discussion of using
macros in the arguments.

Several implementations of this exist on both mailinglist and
attachments, but again none of them were implemented, the bug is still
open.

I would request to not mark this bug as a duplicate, as the approach to
solving the problem (not necessarily its implementation) is IMHO
superior to the macro approach.

The generalized approach is:

- Use a generic PAMServiceName for the pam session for (account) and
(session)

Use authentication method specific overrides only for (auth) and only
for authentication methods that are actually PAM based.

AFAIK at the moment only ChallengeResponse/KeyboardInteractive and
PasswordAuthentication use PAM for auth, so a single additional flag
would be sufficient at the moment to distinguish these cases.

This is also necessary due to the difference in capabilities
(interactive versus dumbfired)

Other authentication methods, such as keybased or kerberos only use PAM
for account and session management after authentication succeeded (if
UsePAM is true)

if in the future additional PAM (auth) based variants get added, they
could introduce their own configuration flags to override
PAMServiceName as needed - possibly in the form of
<AuthMethodName>PAMServiceName

Most importantly this does not conflict with the cases in which the
login procedure requests multiple authentication methods in series, as
obviously only one pam service can be responsible for session
management after all of them succeeded.

Does this make sense?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list