| Summary: | [PATCH] Specify PAM Service name in sshd_config | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Ken Schmidt <kenneth.schmidt> | ||||||||
| Component: | PAM support | Assignee: | Assigned to nobody <unassigned-bugs> | ||||||||
| Status: | CLOSED DUPLICATE | ||||||||||
| Severity: | enhancement | CC: | djm, jjelen, plautrba | ||||||||
| Priority: | P5 | ||||||||||
| Version: | 6.2p1 | ||||||||||
| Hardware: | All | ||||||||||
| OS: | All | ||||||||||
| Attachments: |
|
||||||||||
Created attachment 2439 [details]
patch to allow configuring the pam service
The PAMServiceName option is also useful for systems with multiple sshd instances with different levels of access control, see https://bugzilla.redhat.com/show_bug.cgi?id=1060237 The attached patch is Ken Schmidt's patch rebased for the latest sources. Created attachment 2711 [details] rebased patch for curent HEAD After another discussion about difficult setup with more authentication methods and some of them using PAM in Fedora bug [1], I decided to give a try this patch once more, if it would be acceptable for upstream as portable change. There are no changes in the patch, but it is updated to apply clean on current HEAD. Also making obsolete Petr's patch, since it is just a file with comment. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1263133 *** This bug has been marked as a duplicate of bug 2246 *** closing resolved bugs as of 8.6p1 release |
Created attachment 2267 [details] patch to allow configuring the pam service The attached patch allows openssh to specify which pam service name to authenticate users against by specifying the PAMServiceName attribute in the sshd_config file. Because the parameter can be included in the Match directive sections, it allows different authentication based on the Match directive. In our case, we use it to allow different levels of authentication based on the source of the authentication attempts (securID auth in untrusted zones, password auth in trusted zones). The default is still to use the binary name.