Ramón García
2019-Aug-04 13:39 UTC
Feature request: Allow custom directory for privilege separation in the configuration file. And change the pam module.
In order to be able to have different instances of sshd running in a machine (for instance, one for system administrators, other for a file transfer service) it should be useful: - To allow the administrator to specify the name of the pam module, so that one can create a customized file in /etc/pam.d - A customized privilege separation directory. At present I am using Linux mount --bind to have a different privilege separation directory, but it is a kludge. Best regards.
Colin Watson
2019-Aug-04 22:35 UTC
Feature request: Allow custom directory for privilege separation in the configuration file. And change the pam module.
On Sun, Aug 04, 2019 at 03:39:02PM +0200, Ram?n Garc?a wrote:> In order to be able to have different instances of sshd running in a > machine (for instance, one for system administrators, other for a file > transfer service) it should be useful: > > - To allow the administrator to specify the name of the pam module, so > that one can create a customized file in /etc/pam.d > - A customized privilege separation directory.You can do these already - you just need to build OpenSSH from source yourself. --with-pam-service and --with-privsep-path are the relevant ./configure options. -- Colin Watson [cjwatson at debian.org]
Damien Miller
2019-Aug-05 02:46 UTC
Feature request: Allow custom directory for privilege separation in the configuration file. And change the pam module.
On Sun, 4 Aug 2019, Ram?n Garc?a wrote:> In order to be able to have different instances of sshd running in a > machine (for instance, one for system administrators, other for a file > transfer service) it should be useful: > > - To allow the administrator to specify the name of the pam module, so > that one can create a customized file in /etc/pam.d > - A customized privilege separation directory.Why do you need this? It just needs to be an empty directory that the sshd privsep process has no write access to. It's completely fine to share them between instances. -d
Jakub Jelen
2019-Aug-05 12:39 UTC
Feature request: Allow custom directory for privilege separation in the configuration file. And change the pam module.
On Sun, 2019-08-04 at 15:39 +0200, Ram?n Garc?a wrote:> In order to be able to have different instances of sshd running in a > machine (for instance, one for system administrators, other for a > file > transfer service) it should be useful: > > - To allow the administrator to specify the name of the pam module, > so > that one can create a customized file in /etc/pam.dIf you can rebuild OpenSSH, a trivial patch implementing this is here for more than 5 years: https://bugzilla.mindrot.org/show_bug.cgi?id=2102 later replaced by more complicated version in: https://bugzilla.mindrot.org/show_bug.cgi?id=2246 But neither got in so far. Regards, -- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc.