incomplete/insufficient logic for making access decisions

Darren J Moffat darrenm at
Sat Mar 23 05:41:12 EST 2002

On Mon, 18 Mar 2002, Frank Cusack wrote:

> I'd agree, this sounds like a reasonable (possibly even good) thing to do.
> You'd have to delay PAM startup until a non-PAM auth started (if you used
> PAM auth you'd have to end it and restart it -- ugly and not worthwhile).
> Something like
>     # Account service to use for non-PAM authentication.  When using
>     # PAM auth, this is always "sshd".  When using non-PAM auth (eg rsa)
>     # the configured service name is used.  Can contain %a which is
>     # substituted with the auth type.  Default is "sshd".
>     PAMAcctService sshd

I very strongly disagree with this.  As one of the "keepers" of PAM
at Sun (the original author) this is the wrong thing to do.  Doing this
increases the complexity of the administration.

There is a better mechanism for doing this in Solaris but it is not yet
public - we are in the process of doing this just now.  I believe it
solves the issue.

Darren J Moffat

More information about the openssh-unix-dev mailing list