Hello All, The attached patch allows openssh to specify which pam service name to authenticate users against by specifying the PAMServiceName attribute in the sshd_config file. Because the parameter can be included in the Match directive sections, it allows different authentication based on the Match directive. In our case, we use it to allow different levels of authentication based on the source of the authentication attempts (securID auth in untrusted zones, password auth in trusted zones). The default is still to use the binary name. ____________________________________________ Ken Schmidt Research Scientist, Molecular Science Computing Operations EMSL: Environmental Molecular Sciences Laboratory Pacific Northwest National Laboratory 902 Battelle Boulevard P.O. Box 999, MSIN K8-83 Richland, WA 99352 USA Tel: 509-371-6107 Fax: 509-371-6110 Kenneth.schmidt at pnnl.gov www.emsl.pnl.gov This material was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the United States Department of Energy, nor any of their employees, nor Battelle Memorial Institute nor any of its employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness or any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights.
Seems as though somewhere along the way the attachment got stripped. Lets see if it makes it through this time. On 5/13/13 9:22 a.m., "Schmidt, Kenneth P" <kenneth.schmidt at pnnl.gov> wrote:>Hello All, > >The attached patch allows openssh to specify which pam service name to >authenticate users against by specifying the PAMServiceName attribute in >the sshd_config file. Because the parameter can be included in the Match >directive sections, it allows different authentication based on the Match >directive. In our case, we use it to allow different levels of >authentication based on the source of the authentication attempts >(securID auth in untrusted zones, password auth in trusted zones). The >default is still to use the binary name. > >____________________________________________ >Ken Schmidt >Research Scientist, Molecular Science Computing Operations >EMSL: Environmental Molecular Sciences Laboratory > >Pacific Northwest National Laboratory >902 Battelle Boulevard >P.O. Box 999, MSIN K8-83 >Richland, WA 99352 USA >Tel: 509-371-6107 >Fax: 509-371-6110 >Kenneth.schmidt at pnnl.gov >www.emsl.pnl.gov > >This material was prepared as an account of work sponsored by an agency of >the United States Government. Neither the United States Government nor >the United States Department of Energy, nor any of their employees, nor >Battelle Memorial Institute nor any of its employees, makes any warranty, >express or implied, or assumes any legal liability or responsibility for >the accuracy, completeness, or usefulness or any information, apparatus, >product, or process disclosed, or represents that its use would not >infringe privately owned rights.
> The attached patch allows openssh to specify which pam service name to > authenticate users against by specifying the PAMServiceName attribute in > the sshd_config file. Because the parameter can be included in the Match > directive sections, it allows different authentication based on the Match > directive. In our case, we use it to allow different levels of > authentication based on the source of the authentication attempts > (securID auth in untrusted zones, password auth in trusted zones). The > default is still to use the binary name.Have a look at this thread : http://thread.gmane.org/gmane.network.openssh.devel/9576 My old attempt at solving the same issue is now 10 years old. Oh well... http://article.gmane.org/gmane.network.openssh.devel/4247 Hope this helps, Flavien.
On Mon, May 13, 2013 at 11:22:13 -0500, Schmidt, Kenneth P wrote:> Hello All, > > The attached patch allows openssh to specify which pam service name to > authenticate users against by specifying the PAMServiceName attribute in > the sshd_config file. Because the parameter can be included in the Match > directive sections, it allows different authentication based on the Match > directive. In our case, we use it to allow different levels of > authentication based on the source of the authentication attempts > (securID auth in untrusted zones, password auth in trusted zones). The > default is still to use the binary name. >Hello Ken, Do you anticipate using this primarily with PasswordAuthentication or ChallengeResponseAuthentication? There may be situations where it is desirable to use different PAM service names for each of these authentication methods. For example, it might be desirable to allow a choice of password or public-key authentication in conjunction with the use of a hardware token via AuthenticationMethods: AuthenticationMethods publickey,keyboard-interactive password,keyboard-interactive In such a scenario, you would probably want to use different PAM configurations for keyboard-interactive and password authentication. Keyboard-interactive would use a different PAM service name to implement the hardware token support, but you might still want password authentication to use PAM for failed login tracking, LDAP support, etc. Perhaps one apparoach would be to extend the submethod support which was recently added to AuthenticationMethods; adding an optional third parameter which (in the case of PAM) would specify the service name. Using the above AuthenticationMethods line as an example, the new (somewhat lenghty) line would be: AuthenticationMethods publickey,keyboard-interactive:pam:service password,keyboard-interactive:pam:service -- Iain Morgan