Michael Tokarev
2003-Mar-26 16:25 UTC
Changing PAM service name in sshd_config, or running sshd as non-root
Currently, openssh's PAM service name is a compile-time choice. That's fine when one uses one sshd to serve normal shell logins and the like. But this will not work IF sshd is nor run as root (which I don't want it to do), because pam_open_session usually requires access to one's shadow information (for account expiration perhaps?), and there is no way (and need: this sshd is installed to handle a specific task (or a set of tasks, really), where NO pam work is needed at all - to only allow port forwarding for several authorized (via keys) parties, something like tunnels - just to give an example) to give this information to a non-root process. So, sshd fails: debug1: ssh_rsa_verify: signature correct PAM rejected by account configuration[9]: Authentication service cannot retrieve authentication info. Accepted publickey for mjt from 127.0.0.1 port 1101 ssh2 Failed publickey for mjt from 127.0.0.1 port 1101 ssh2 (note the order of messages - PAM failure first, pubkey acceptance is second). So, that to say - why there is no e.g. PamServiceName configuration option in sshd_config? Thanks. /mjt
Jim Knoble
2003-Mar-26 20:20 UTC
Changing PAM service name in sshd_config, or running sshd as non-root
Circa 2003-03-26 19:25:25 +0300 dixit Michael Tokarev: : Currently, openssh's PAM service name is a compile-time choice. [...] : So, that to say - why there is no e.g. PamServiceName configuration : option in sshd_config? There is one, it's just called something different: ln -s /path/to/sshd /path/to/your-favorite-ssh-service-name OpenSSH's sshd uses the basename of argv[0] as the service name, as you would know if you were to read the INSTALL file that accompanies OpenSSH-3.5p1. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) Stop the War on Freedom ... Start the War on Poverty! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 256 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030326/49f654fe/attachment.bin