Ivan Popov
2002-Mar-18 14:00 UTC
incomplete/insufficient logic for making access decisions
Hello, There is a simple but sometimes important omission in access decision logic in OpenSSH. It checks against PAM for all authentication methods - it *is* good. But it provides no means to distinguish, in PAM configuration, which method has been used for the authentication. It is sometimes crucial to be able to distinguish between different ways of authentication, to make the right authorization (login access) decision. [e.g. to have allowed-accounts-lists per authentication type] We have been running openssh for a long time with our own patches to add different pam service names for different authentication modes, but it definitely should belong to the mainstream code. (no, our patches were against 2.*, of no use if I'd provide them) We were running with "ssh-rsa" and "ssh-dcegss" style service names along with "ssh", used for plain pam (i.e. password) authentication. I see it as an important omission, that fortunately is easy to fix - let it go different paths in pam account (authorization) management, corresponding to different authentication paths. Best regards, and thanks for the great software! -- Ivan
Frank Cusack
2002-Mar-19 05:25 UTC
incomplete/insufficient logic for making access decisions
On Mon, Mar 18, 2002 at 03:00:09PM +0100, Ivan Popov wrote:> [e.g. to have allowed-accounts-lists per authentication type] > > We have been running openssh for a long time with our own patches to add > different pam service names for different authentication modes, > but it definitely should belong to the mainstream code. > > (no, our patches were against 2.*, of no use if I'd provide them) > > We were running with "ssh-rsa" and "ssh-dcegss" style service names along > with "ssh", used for plain pam (i.e. password) authentication.I'd agree, this sounds like a reasonable (possibly even good) thing to do. You'd have to delay PAM startup until a non-PAM auth started (if you used PAM auth you'd have to end it and restart it -- ugly and not worthwhile). Something like # Account service to use for non-PAM authentication. When using # PAM auth, this is always "sshd". When using non-PAM auth (eg rsa) # the configured service name is used. Can contain %a which is # substituted with the auth type. Default is "sshd". PAMAcctService sshd seems good. /fc