openssh unix dev - Jun 2004 - [PATCH] make pam service a settable option

This patch adds a config file option 'PAMService' that sets the PAM
service sshd will use. It should leave the current behavior unchanged if
PAMService is not set in the config file (i.e. use __progname for the
service or SSHD_PAM_SERVICE if it's set at compile time). The patch is
against the current portability release in CVS.

Why would you want something like this?
I have a machine at work that I use as an SSH bastion. It runs a
"normal" ssh daemon that allows root logins, etc that I use for
management, and a second ssh daemon on a different port (that the
firewall forwards to) that uses a one time password auth scheme, and
doesn't allow root logins. It would be very nice to be able to have them
use different PAM module stacks without having to have a separate
binary.

One final note -- C programming is not my forte, so please look at this
critically and let me know if anything should be changed. If you accept
this for inclusion, I'll make the manpage updates as well.

Thanks!
-- 
Jeff Layton <jtlayton at poochiereds.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh_pam_service.patch
Type: text/x-patch
Size: 4350 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040623/e0334395/attachment.bin

Apologies if this goes through twice, but it looked like it didn't go
the first time I sent it...

This patch adds a config file option 'PAMService' that sets the PAM
service sshd will use. It should leave the current behavior unchanged if
PAMService is not set in the config file (i.e. use __progname for the
service or SSHD_PAM_SERVICE if it's set at compile time). The patch is
against the current portability release in CVS.

Why would you want something like this?
I have a machine at work that I use as an SSH bastion. It runs a
"normal" ssh daemon that allows root logins, etc that I use for
management, and a second ssh daemon on a different port (that the
firewall forwards to) that uses a one time password auth scheme, and
doesn't allow root logins. It would be very nice to be able to have them
use different PAM module stacks without having to have a separate
binary.

One final note -- C programming is not my forte, so please look at this
critically and let me know if anything should be changed. If you accept
this for inclusion, I'll make the manpage updates as well.

Thanks!
-- 
Jeff Layton <jtlayton at poochiereds.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh_pam_service.patch
Type: text/x-patch
Size: 4350 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040623/52983010/attachment.bin

> This patch adds a config file option 'PAMService' that sets the PAM
> service sshd will use.
You don't need that option. 

ln -s sshd /usr/sbin/sshd_remote

sshd will identify itself as _progname, which will be "sshd_remote".

PS: I already submited such a patch some time  ago,  and  another
person the same one some time  later.  I  suggest  it  should  be
documented. Documentation could state something around the  lines
of :
    The PAM service name used by  sshd  to  identify  itself,  is
    derived from the name of the program. It is possible to start
    sshd through a link that is named differently,  so  that  the
    PAM service name is different (for example to have  different
    PAM policies for different instances of sshd running  on  the
    same machine).


Flavien.

On Wed, 2004-06-23 at 10:08, Darren Tucker wrote:
> Then you need to take that up with Debian (although if they've changed 
> it from the default then they probably have a policy about that).
Roger that. I filed a bug report with the debian BTS and posted a
message to the debian-ssh mailing list to see if I can get an
explanation of why they're doing this.

Thanks!
-- 
Jeff Layton <jtlayton at poochiereds.net>