I have created patches to allow for a configurable PAM service name. I use this with the ListenAddress configuration parameters, along with ipaliasing and firewall blocking, to force a SecurID authentication on remote connections but still allow for "normal" access internally. If anyone is interested, here they are: Index: auth-pam.c ==================================================================RCS file: /u/itsrc/cvs/security/openssh/auth-pam.c,v retrieving revision 1.1.1.3 retrieving revision 1.1.1.3.2.1 diff -u -r1.1.1.3 -r1.1.1.3.2.1 --- auth-pam.c 2000/05/11 21:28:36 1.1.1.3 +++ auth-pam.c 2000/05/13 17:33:09 1.1.1.3.2.1 @@ -211,11 +211,12 @@ /* Start PAM authentication for specified account */ void start_pam(struct passwd *pw) { + extern ServerOptions options; int pam_retval; - debug("Starting up PAM with username \"%.200s\"", pw->pw_name); + debug("Starting up PAM with service \"%s\" and username \"%.200s\"", options.pam_service, pw->pw_name); - pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, + pam_retval = pam_start(options.pam_service, pw->pw_name, &conv, (pam_handle_t**)&pamh); if (pam_retval != PAM_SUCCESS) fatal("PAM initialisation failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); Index: servconf.c ==================================================================RCS file: /u/itsrc/cvs/security/openssh/servconf.c,v retrieving revision 1.1.1.3 retrieving revision 1.1.1.3.2.1 diff -u -r1.1.1.3 -r1.1.1.3.2.1 --- servconf.c 2000/05/11 21:28:52 1.1.1.3 +++ servconf.c 2000/05/13 17:33:09 1.1.1.3.2.1 @@ -34,6 +34,7 @@ options->host_key_file = NULL; options->host_dsa_key_file = NULL; options->pid_file = NULL; + options->pam_service = NULL; options->server_key_bits = -1; options->login_grace_time = -1; options->key_regeneration_time = -1; @@ -89,6 +90,8 @@ options->host_dsa_key_file = HOST_DSA_KEY_FILE; if (options->pid_file == NULL) options->pid_file = SSH_DAEMON_PID_FILE; + if (options->pam_service == NULL) + options->pam_service = SSHD_PAM_SERVICE; if (options->server_key_bits == -1) options->server_key_bits = 768; if (options->login_grace_time == -1) @@ -177,7 +180,7 @@ sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile, - sGatewayPorts, sDSAAuthentication + sPAMService, sGatewayPorts, sDSAAuthentication } ServerOpCodes; /* Textual representation of the tokens. */ @@ -189,6 +192,7 @@ { "hostkey", sHostKeyFile }, { "hostdsakey", sHostDSAKeyFile }, { "pidfile", sPidFile }, + { "pamservice", sPAMService }, { "serverkeybits", sServerKeyBits }, { "logingracetime", sLoginGraceTime }, { "keyregenerationinterval", sKeyRegenerationTime }, @@ -385,6 +389,18 @@ } if (*charptr == NULL) *charptr = tilde_expand_filename(cp, getuid()); + break; + + case sPAMService: + charptr = &options->pam_service; + cp = strtok(NULL, WHITESPACE); + if (!cp) { + fprintf(stderr, "%s line %d: missing PAM service name.\n", + filename, linenum); + exit(1); + } + if (*charptr == NULL) + *charptr = xstrdup(cp); break; case sRandomSeedFile: Index: servconf.h ==================================================================RCS file: /u/itsrc/cvs/security/openssh/servconf.h,v retrieving revision 1.1.1.2 retrieving revision 1.1.1.2.2.1 diff -u -r1.1.1.2 -r1.1.1.2.2.1 --- servconf.h 2000/05/11 21:28:53 1.1.1.2 +++ servconf.h 2000/05/13 17:33:10 1.1.1.2.2.1 @@ -34,6 +34,7 @@ char *host_key_file; /* File containing host key. */ char *host_dsa_key_file; /* File containing dsa host key. */ char *pid_file; /* Where to put our pid */ + char *pam_service; /* Service name for PAM */ int server_key_bits;/* Size of the server key. */ int login_grace_time; /* Disconnect if no auth in this time * (sec). */