incomplete/insufficient logic for making access decisions

Frank Cusack fcusack at
Sun Mar 24 02:22:00 EST 2002

On Fri, Mar 22, 2002 at 10:41:12AM -0800, Darren J Moffat wrote:
> On Mon, 18 Mar 2002, Frank Cusack wrote:
> > I'd agree, this sounds like a reasonable (possibly even good) thing to do.
> > You'd have to delay PAM startup until a non-PAM auth started (if you used
> > PAM auth you'd have to end it and restart it -- ugly and not worthwhile).
> >
> > Something like
> >
> >     # Account service to use for non-PAM authentication.  When using
> >     # PAM auth, this is always "sshd".  When using non-PAM auth (eg rsa)
> >     # the configured service name is used.  Can contain %a which is
> >     # substituted with the auth type.  Default is "sshd".
> >     PAMAcctService sshd
> I very strongly disagree with this.  As one of the "keepers" of PAM
> at Sun (the original author) this is the wrong thing to do.  Doing this
> increases the complexity of the administration.
> There is a better mechanism for doing this in Solaris but it is not yet
> public - we are in the process of doing this just now.  I believe it
> solves the issue.

It may be the wrong thing, but PAM currently offers no other way to do it.
I was actually thinking to suggest setting something in appdata but then
every PAM module has to know about it.  Of course if you can correct me
here I would love to know how to do this some better way.

The most portable mechanism is using a different service name.  And it's
not so unwieldy, I don't think.


More information about the openssh-unix-dev mailing list