incomplete/insufficient logic for making access decisions
Frank Cusack
fcusack at fcusack.com
Tue Mar 19 16:25:25 EST 2002
On Mon, Mar 18, 2002 at 03:00:09PM +0100, Ivan Popov wrote:
> [e.g. to have allowed-accounts-lists per authentication type]
>
> We have been running openssh for a long time with our own patches to add
> different pam service names for different authentication modes,
> but it definitely should belong to the mainstream code.
>
> (no, our patches were against 2.*, of no use if I'd provide them)
>
> We were running with "ssh-rsa" and "ssh-dcegss" style service names along
> with "ssh", used for plain pam (i.e. password) authentication.
I'd agree, this sounds like a reasonable (possibly even good) thing to do.
You'd have to delay PAM startup until a non-PAM auth started (if you used
PAM auth you'd have to end it and restart it -- ugly and not worthwhile).
Something like
# Account service to use for non-PAM authentication. When using
# PAM auth, this is always "sshd". When using non-PAM auth (eg rsa)
# the configured service name is used. Can contain %a which is
# substituted with the auth type. Default is "sshd".
PAMAcctService sshd
seems good.
/fc
More information about the openssh-unix-dev
mailing list