It's sometimes desired to be able to alter login policy depending upon
how the person was connecting for the ssh server. For example you might
want different rules on the internal and external interface of a
gateway. In another setup you might want an sshd with a different login
policy running on a different port - and setup different firewalling
rules (for example).
I have implemented such a setup using PAM, however in order to do this I
need the different SSH daemons to use different PAM service names when
authenticated.
The attached patch (developed for 3.5p1, but it applies ok to 3.6.1p1)
implements this functionality, by adding a PAMServiceName option to
sshd_config.
On a slightly related note I've also managed to get one time passwords
(using OPIE) working with sshd, providing a more secure mechanism for
logging into a computer from a public workstation or similar (where you
may be worried about your password running the risk of falling prey to
keyboard loggers or other such trojans). OPIE development seems pretty
much non-existant so I'm not entirely sure who this is likely to be of
interest to, but if anyone wants code or instructions then email me.
In combination with the attached patch, for example, this allows an sshd
daemon listening internally to take normal passwords and one listening
externally to require OPIE passwords. Unfortunately this means enabling
PAMAuthenticationViaKbdInt, which might make the cure worse than the
disease.
--
Stephen White <stephen-openssh at earth.li>