[PATCH] Specify PAM Service name in sshd_config

[Iain Morgan]

On Mon, May 13, 2013 at 11:22:13 -0500, Schmidt, Kenneth P wrote:
> Hello All,
> 
> The attached patch allows openssh to specify which pam service name to
> authenticate users against by specifying the PAMServiceName attribute in
> the sshd_config file.  Because the parameter can be included in the Match
> directive sections, it allows different authentication based on the Match
> directive.  In our case, we use it to allow different levels of
> authentication based on the source of the authentication attempts
> (securID auth in untrusted zones, password auth in trusted zones).  The
> default is still to use the binary name.
> 

Hello Ken,

Do you anticipate using this primarily with PasswordAuthentication or
ChallengeResponseAuthentication?

There may be situations where it is desirable to use different PAM
service names for each of these authentication methods. For example, it
might be desirable to allow a choice of password or public-key
authentication in conjunction with the use of a hardware token via
AuthenticationMethods:

AuthenticationMethods publickey,keyboard-interactive password,keyboard-interactive

In such a scenario, you would probably want to use different PAM
configurations for keyboard-interactive and password authentication.
Keyboard-interactive would use a different PAM service name to implement
the hardware token support, but you might still want password
authentication to use PAM for failed login tracking, LDAP support, etc.

Perhaps one apparoach would be to extend the submethod support which was
recently added to AuthenticationMethods; adding an optional third
parameter which (in the case of PAM) would specify the service name.
Using the above AuthenticationMethods line as an example, the new
(somewhat lenghty) line would be:

AuthenticationMethods publickey,keyboard-interactive:pam:service password,keyboard-interactive:pam:service

-- 
Iain Morgan