Hello,
Here's the situation I'm facing : I'm running OpenSSH on a server.
On
a gateway, I forward TCP:22 to the server TCP:22. So far, so good. I can
log in from inside the lan by connecting using standard SSH port, or
from the other network through the gateway.
Now, I'd like a different configuration for connections from the
outside. I start another SSHd on the server with another config file,
listening on another port, and instead of forwarding incoming
connections on the gateway to TCP:22, I forward them to TCP:theotherport
and it's fine.
Now, one step further : I use pam on the server, and would like to use
/etc/pam.d/ssh_remote as the pam config-file for the second instance of
sshd and continue to use /etc/pam.d/ssh for the first one.
It comes down to change the "service_name" parameter of pam_start()
for
the second daemon. I had a look in the source and SSHD_PAM_SERVICE is a
constant. I could of course recompile with
-DSSHD_PAM_SERVICE"ssh_remote" but I would have to have two sets of
binaries : One sshd
and another sshd_remote. Not really easy. :-(
Attached is a patch that allows me to do this in the config file by
appending a string to SSHD_PAM_SERVICE at runtime (yes, I'd have liked
to do it at fill_default_server_options time). It just adds another
option : PamServiceNameAppend.
This is my first attempt at patching ssh (hacked it this afternoon, only
basic and very primitive testing), so it sure needs hints from "the guys
who know it better". :o) Feedback welcome !
Flavien.
-------------- next part --------------
Index: auth-pam.c
==================================================================RCS file:
/cvs/openssh/auth-pam.c,v
retrieving revision 1.54
diff -u -w -u -w -b -p -r1.54 auth-pam.c
--- auth-pam.c 28 Jul 2002 20:24:08 -0000 1.54
+++ auth-pam.c 24 Nov 2002 18:43:41 -0000
@@ -378,10 +378,13 @@ void start_pam(const char *user)
extern ServerOptions options;
extern u_int utmp_len;
const char *rhost;
+ char buf[1024];
debug("Starting up PAM with username \"%.200s\"", user);
- pam_retval = pam_start(SSHD_PAM_SERVICE, user, &conv, &__pamh);
+ strlcpy(buf, SSHD_PAM_SERVICE, sizeof(buf));
+ strlcat(buf, options.pam_service_name_append, sizeof(buf));
+ pam_retval = pam_start(buf, user, &conv, &__pamh);
if (pam_retval != PAM_SUCCESS)
fatal("PAM initialisation failed[%d]: %.200s",
Index: servconf.c
==================================================================RCS file:
/cvs/openssh/servconf.c,v
retrieving revision 1.97
diff -u -w -u -w -b -p -r1.97 servconf.c
--- servconf.c 5 Sep 2002 04:35:15 -0000 1.97
+++ servconf.c 24 Nov 2002 18:43:41 -0000
@@ -57,6 +57,9 @@ initialize_server_options(ServerOptions
/* Portable-specific options */
options->pam_authentication_via_kbd_int = -1;
+#ifdef USE_PAM
+ options->pam_service_name_append = NULL;
+#endif
/* Standard Options */
options->num_ports = 0;
@@ -134,6 +137,10 @@ fill_default_server_options(ServerOption
/* Portable-specific options */
if (options->pam_authentication_via_kbd_int == -1)
options->pam_authentication_via_kbd_int = 0;
+#ifdef USE_PAM
+ if (options->pam_service_name_append == NULL)
+ options->pam_service_name_append = "";
+#endif
/* Standard Options */
if (options->protocol == SSH_PROTO_UNKNOWN)
@@ -275,7 +282,7 @@ fill_default_server_options(ServerOption
typedef enum {
sBadOption, /* == unknown option */
/* Portable-specific options */
- sPAMAuthenticationViaKbdInt,
+ sPAMAuthenticationViaKbdInt, sPAMServiceNameAppend,
/* Standard Options */
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
sPermitRootLogin, sLogFacility, sLogLevel,
@@ -312,6 +319,7 @@ static struct {
} keywords[] = {
/* Portable-specific options */
{ "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
+ { "PAMServiceNameAppend", sPAMServiceNameAppend },
/* Standard Options */
{ "port", sPort },
{ "hostkey", sHostKeyFile },
@@ -461,6 +469,15 @@ process_server_config_line(ServerOptions
case sPAMAuthenticationViaKbdInt:
intptr = &options->pam_authentication_via_kbd_int;
goto parse_flag;
+#ifdef USE_PAM
+ case sPAMServiceNameAppend:
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: Missing argument.", filename, linenum);
+ if (options->pam_service_name_append == NULL)
+ options->pam_service_name_append = xstrdup(arg);
+ break;
+#endif
/* Standard Options */
case sBadOption:
Index: servconf.h
==================================================================RCS file:
/cvs/openssh/servconf.h,v
retrieving revision 1.50
diff -u -w -u -w -b -p -r1.50 servconf.h
--- servconf.h 1 Aug 2002 01:28:39 -0000 1.50
+++ servconf.h 24 Nov 2002 18:43:42 -0000
@@ -132,6 +132,7 @@ typedef struct {
char *authorized_keys_file; /* File containing public keys */
char *authorized_keys_file2;
int pam_authentication_via_kbd_int;
+ char *pam_service_name_append;
} ServerOptions;
void initialize_server_options(ServerOptions *);