I've attached a patch relative to OpenSSH 2.5.1p1 which sets the
default PAM service name to __progname instead of the hard-coded value
"sshd". This allows you to have multiple invokations of sshd under
different names, each with its own PAM configuration.
Please let me know if you have any questions or problems.
--
Mark D. Roth <roth at feep.net>
http://www.feep.net/~roth/
-------------- next part --------------
diff -urN openssh-2.5.1p1-orig/auth-pam.c openssh-2.5.1p1/auth-pam.c
--- openssh-2.5.1p1-orig/auth-pam.c Wed Feb 14 18:51:32 2001
+++ openssh-2.5.1p1/auth-pam.c Thu Feb 22 10:50:10 2001
@@ -33,6 +33,8 @@
#include "canohost.h"
#include "readpass.h"
+extern char *__progname;
+
RCSID("$Id: auth-pam.c,v 1.29 2001/02/15 00:51:32 djm Exp $");
#define NEW_AUTHTOK_MSG \
diff -urN openssh-2.5.1p1-orig/ssh.h openssh-2.5.1p1/ssh.h
--- openssh-2.5.1p1-orig/ssh.h Mon Feb 5 09:43:59 2001
+++ openssh-2.5.1p1/ssh.h Thu Feb 22 10:50:20 2001
@@ -61,7 +61,7 @@
#define SSH_SERVICE_NAME "ssh"
#if defined(USE_PAM) && !defined(SSHD_PAM_SERVICE)
-# define SSHD_PAM_SERVICE "sshd"
+# define SSHD_PAM_SERVICE __progname
#endif
/*
On Thu, 22 Feb 2001, Mark D. Roth wrote: : I've attached a patch relative to OpenSSH 2.5.1p1 which sets the : default PAM service name to __progname instead of the hard-coded value : "sshd". This allows you to have multiple invokations of sshd under : different names, each with its own PAM configuration. : : Please let me know if you have any questions or problems. seems fine but i think #define SSHD_PAM_SERVICE should be moved to auth-pam.h.
How does this interact with this comment: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-4.html#ss4.2 Cheers Andrew "Mark D. Roth" wrote:> > I've attached a patch relative to OpenSSH 2.5.1p1 which sets the > default PAM service name to __progname instead of the hard-coded value > "sshd". This allows you to have multiple invokations of sshd under > different names, each with its own PAM configuration. > > Please let me know if you have any questions or problems. > > -- > Mark D. Roth <roth at feep.net> > http://www.feep.net/~roth/ > > ------------------------------------------------------------------------ > > openssh-2.5.1p1-pamstart.diffName: openssh-2.5.1p1-pamstart.diff > Type: Plain Text (text/plain)
On Thu, 22 Feb 2001, Andrew Morgan wrote: : How does this interact with this comment: : : http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-4.html#ss4.2 given that sshd is not set-id, and a user can build their own version, is there an issue?
What I, as a sysadmin would like to see is the possibility of not only having different service names for different programs, but also have them different depending on authentication method. One reason for this is that I would like to control who logs on to which machine, and *how*. Using passwords and using e.g. kerberos or AFS ticket transfers have results in different security exposures in the light of trojan horses, or user population on the machines. Consider the situation of university teachers logging in to student machines. In that case, we wouldn't like them to give their passwords, regardless of whether the passwords are encrypted in transfer or not. However doing Kerb5 ticket transfers probably is a different story since these tickets have time limits on their validity, something that passwords generally don't have, or at least have much longer validity. If there were an OTP password authentication method, there would be yet another method that would represent a different security risk, and could call for another policy vs who may log on. PAM is a good framework that not only can be used for selecting authentication policies, but also can be used for controlling authorization policy, regardless of the method of authentication. One way of enabling that kind of authz policy-making is to have different PAM service names for different authn-methods. Please forgive me if this have been discussed before. I'm new to this list. In that case, I'd be interested looking at som archived mail if available. Chris. <bernerus at cs.chalmers.se>
On Thu Feb 22 10:55 2001 -0600, Mark D. Roth wrote:> I've attached a patch relative to OpenSSH 2.5.1p1 which sets the > default PAM service name to __progname instead of the hard-coded value > "sshd". This allows you to have multiple invokations of sshd under > different names, each with its own PAM configuration.I just noticed that this patch is still not in the current CVS tree. Did it just get overlooked, or is there some problem with it? Thanks for the info! -- Mark D. Roth <roth at feep.net> http://www.feep.net/~roth/