I append a patch against openssh-3.5p1.tar.gz which adds a config option
PAMServiceName. The option allows one to specify the PAM service at
runtime in the config file rather than using __progname or having it
hardwired to SSHD_PAM_SERVICE at compile time. I expect this to be useful
if one wants to run multiple instances of sshd using different PAM
configurations.
With this patch SSHD_PAM_SERVICE is not used in auth-pam.c so I moved the
definition out of auth-pam.h into servconf.h. Effectively
SSHD_PAM_SERVICE now merely supplies the default service name. I'm not
convinced that servconf.h is the correct place for it.
==========pam-service.diff follows=========diff -ru
openssh-3.5p1.orig/auth-pam.c openssh-3.5p1/auth-pam.c
--- openssh-3.5p1.orig/auth-pam.c Sun Jul 28 21:24:08 2002
+++ openssh-3.5p1/auth-pam.c Tue Dec 3 14:22:16 2002
@@ -34,8 +34,6 @@
#include "canohost.h"
#include "readpass.h"
-extern char *__progname;
-
extern int use_privsep;
RCSID("$Id: auth-pam.c,v 1.54 2002/07/28 20:24:08 stevesk Exp $");
@@ -381,7 +379,7 @@
debug("Starting up PAM with username \"%.200s\"", user);
- pam_retval = pam_start(SSHD_PAM_SERVICE, user, &conv, &__pamh);
+ pam_retval = pam_start(options.pam_service_name, user, &conv,
&__pamh);
if (pam_retval != PAM_SUCCESS)
fatal("PAM initialisation failed[%d]: %.200s",
diff -ru openssh-3.5p1.orig/auth-pam.h openssh-3.5p1/auth-pam.h
--- openssh-3.5p1.orig/auth-pam.h Tue Jul 23 01:44:07 2002
+++ openssh-3.5p1/auth-pam.h Tue Dec 3 14:13:52 2002
@@ -27,10 +27,6 @@
#include "includes.h"
#ifdef USE_PAM
-#if !defined(SSHD_PAM_SERVICE)
-# define SSHD_PAM_SERVICE __progname
-#endif
-
void start_pam(const char *user);
void finish_pam(void);
int auth_pam_password(Authctxt *authctxt, const char *password);
diff -ru openssh-3.5p1.orig/servconf.c openssh-3.5p1/servconf.c
--- openssh-3.5p1.orig/servconf.c Thu Sep 5 05:35:15 2002
+++ openssh-3.5p1/servconf.c Tue Dec 3 14:22:00 2002
@@ -48,6 +48,8 @@
/* Use of privilege separation or not */
extern int use_privsep;
+extern char *__progname;
+
/* Initializes the server options to their default values. */
void
@@ -57,6 +59,7 @@
/* Portable-specific options */
options->pam_authentication_via_kbd_int = -1;
+ options->pam_service_name = NULL;
/* Standard Options */
options->num_ports = 0;
@@ -134,6 +137,8 @@
/* Portable-specific options */
if (options->pam_authentication_via_kbd_int == -1)
options->pam_authentication_via_kbd_int = 0;
+ if (options->pam_service_name == NULL )
+ options->pam_service_name = SSHD_PAM_SERVICE;
/* Standard Options */
if (options->protocol == SSH_PROTO_UNKNOWN)
@@ -276,6 +281,7 @@
sBadOption, /* == unknown option */
/* Portable-specific options */
sPAMAuthenticationViaKbdInt,
+ sPAMServiceName,
/* Standard Options */
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
sPermitRootLogin, sLogFacility, sLogLevel,
@@ -312,6 +318,7 @@
} keywords[] = {
/* Portable-specific options */
{ "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
+ { "PAMServiceName", sPAMServiceName },
/* Standard Options */
{ "port", sPort },
{ "hostkey", sHostKeyFile },
@@ -461,6 +468,16 @@
case sPAMAuthenticationViaKbdInt:
intptr = &options->pam_authentication_via_kbd_int;
goto parse_flag;
+
+ case sPAMServiceName:
+ charptr=&options->pam_service_name;
+ arg=strdelim(&cp);
+ if (!arg || *arg == '\0' )
+ fatal("%s line %d: missing PAM service name",
+ filename, linenum);
+ if( *charptr==NULL )
+ *charptr=xstrdup(arg);
+ break;
/* Standard Options */
case sBadOption:
diff -ru openssh-3.5p1.orig/servconf.h openssh-3.5p1/servconf.h
--- openssh-3.5p1.orig/servconf.h Thu Aug 1 02:28:39 2002
+++ openssh-3.5p1/servconf.h Tue Dec 3 14:10:55 2002
@@ -132,6 +132,7 @@
char *authorized_keys_file; /* File containing public keys */
char *authorized_keys_file2;
int pam_authentication_via_kbd_int;
+ char *pam_service_name;
} ServerOptions;
void initialize_server_options(ServerOptions *);
@@ -139,5 +140,8 @@
void fill_default_server_options(ServerOptions *);
int process_server_config_line(ServerOptions *, char *, const char *, int);
+#if !defined(SSHD_PAM_SERVICE)
+# define SSHD_PAM_SERVICE __progname
+#endif
#endif /* SERVCONF_H */
diff -ru openssh-3.5p1.orig/sshd_config.5 openssh-3.5p1/sshd_config.5
--- openssh-3.5p1.orig/sshd_config.5 Thu Sep 19 02:51:22 2002
+++ openssh-3.5p1/sshd_config.5 Tue Dec 3 14:19:34 2002
@@ -427,6 +427,8 @@
it will allow password authentication regardless of whether
.Cm PasswordAuthentication
is enabled.
+.It Cm PAMServiceName
+Specifies the PAM service name to use when initialising PAM services.
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is