search for: sshd_pam_service

I append a patch against openssh-3.5p1.tar.gz which adds a config option PAMServiceName. The option allows one to specify the PAM service at runtime in the config file rather than using __progname or having it hardwired to SSHD_PAM_SERVICE at compile time. I expect this to be useful if one wants to run multiple instances of sshd using different PAM configurations. With this patch SSHD_PAM_SERVICE is not used in auth-pam.c so I moved the definition out of auth-pam.h into servconf.h. Effectively SSHD_PAM_SERVICE now merely supplies...

...e server, and would like to use /etc/pam.d/ssh_remote as the pam config-file for the second instance of sshd and continue to use /etc/pam.d/ssh for the first one. It comes down to change the "service_name" parameter of pam_start() for the second daemon. I had a look in the source and SSHD_PAM_SERVICE is a constant. I could of course recompile with -DSSHD_PAM_SERVICE= "ssh_remote" but I would have to have two sets of binaries : One sshd and another sshd_remote. Not really easy. :-( Attached is a patch that allows me to do this in the config file by appending a strin...

...#define NEW_AUTHTOK_MSG \ diff -urN openssh-2.5.1p1-orig/ssh.h openssh-2.5.1p1/ssh.h --- openssh-2.5.1p1-orig/ssh.h Mon Feb 5 09:43:59 2001 +++ openssh-2.5.1p1/ssh.h Thu Feb 22 10:50:20 2001 @@ -61,7 +61,7 @@ #define SSH_SERVICE_NAME "ssh" #if defined(USE_PAM) && !defined(SSHD_PAM_SERVICE) -# define SSHD_PAM_SERVICE "sshd" +# define SSHD_PAM_SERVICE __progname #endif /*

It's sometimes desired to be able to alter login policy depending upon how the person was connecting for the ssh server. For example you might want different rules on the internal and external interface of a gateway. In another setup you might want an sshd with a different login policy running on a different port - and setup different firewalling rules (for example). I have implemented such

This patch adds a config file option 'PAMService' that sets the PAM service sshd will use. It should leave the current behavior unchanged if PAMService is not set in the config file (i.e. use __progname for the service or SSHD_PAM_SERVICE if it's set at compile time). The patch is against the current portability release in CVS. Why would you want something like this? I have a machine at work that I use as an SSH bastion. It runs a "normal" ssh daemon that allows root logins, etc that I use for management, and a second...

...nge_required) { + pamstate = OTHER; + do { + pam_retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + } while (pam_retval != PAM_SUCCESS); } } @@ -238,12 +291,11 @@ debug("Starting up PAM with username \"%.200s\"", pw->pw_name); - pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, - (pam_handle_t**)&pamh); + pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, &pamh); if (pam_retval != PAM_SUCCESS) { fatal("PAM initialisation failed: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_ST...

...t */ +static void start_pam2(struct passwd *pw, int auth_type) +{ int pam_retval; + const char *service=NULL; - debug("Starting up PAM with username \"%.200s\"", pw->pw_name); + switch (auth_type) { + case SSH_CMSG_AUTH_PASSWORD : + service=SSHD_PAM_SERVICE; + break; + case SSH_CMSG_AUTH_TIS : + service=SSHD_PAM_TIS_SERVICE; + break; + default: + fatal("PAM attempted for unsupported authentication type\n"); + } + + current_auth_type=auth_type; + + debug("Sta...

http://bugzilla.mindrot.org/show_bug.cgi?id=1041 Summary: Allow the admin to specify PAM service name Product: Portable OpenSSH Version: -current Platform: All OS/Version: Linux Status: NEW Severity: enhancement Priority: P2 Component: PAM support AssignedTo: bitbucket at mindrot.org

Hello. Which pam service is sshd using on Solaris? Is it sshd? Thanks, Alexander Skwar -- Message from Our Sponsor on ttyTV at 13:58 ...

....h,v retrieving revision 1.16 diff -u -r1.16 auth-pam.h --- auth-pam.h 23 Jul 2002 00:44:07 -0000 1.16 +++ auth-pam.h 21 Dec 2002 11:39:05 -0000 @@ -25,6 +25,8 @@ */ #include "includes.h" +#include "channels.h" +#include "session.h" #ifdef USE_PAM #if !defined(SSHD_PAM_SERVICE) Index: monitor.c =================================================================== RCS file: /cvs/openssh/monitor.c,v retrieving revision 1.33 diff -u -r1.33 monitor.c --- monitor.c 9 Nov 2002 15:47:49 -0000 1.33 +++ monitor.c 21 Dec 2002 11:39:06 -0000 @@ -118,6 +118,7 @@ #ifdef USE_PAM int...

...v retrieving revision 1.16 diff -u -u -r1.16 auth-pam.h --- auth-pam.h 23 Jul 2002 00:44:07 -0000 1.16 +++ auth-pam.h 10 Dec 2002 12:34:10 -0000 @@ -25,6 +25,8 @@ */ #include "includes.h" +#include "channels.h" +#include "session.h" #ifdef USE_PAM #if !defined(SSHD_PAM_SERVICE) Index: monitor.c =================================================================== RCS file: /cvs/openssh/monitor.c,v retrieving revision 1.33 diff -u -u -r1.33 monitor.c --- monitor.c 9 Nov 2002 15:47:49 -0000 1.33 +++ monitor.c 10 Dec 2002 12:34:11 -0000 @@ -118,6 +118,7 @@ #ifdef USE_PAM...

...AM_SUCCESS && strcmp(user, pam_user) == 0) return (0); - pam_end(sshpam_handle, sshpam_err); - sshpam_handle = NULL; + pam_end(grab_pamh(0, NULL), sshpam_err); + grab_pamh(1, NULL); } debug("PAM: initializing for \"%s\"", user); sshpam_err = - pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle); + pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle_holder); + grab_pamh(1, sshpam_handle_holder); if (sshpam_err != PAM_SUCCESS) { - pam_end(sshpam_handle, sshpam_err); - sshpam_handle = NULL; + pam_end(grab_pamh(0, NULL), ssh...

...ons are added at the bottom, they'll be in user section rather than the server section. - on startup, have sshd log the PAM service it's going to recognize. I had a situation with machines using different strings (sometimes the default "sshd", sometimes compiled with -DSSHD_PAM_SERVICE="ssh"), and I couldn't tell which the particular binary was looking for. Doing a 'strings' on the binary didn't help. :) So, I added a message to log this on startup, when compiled with PAM support. - in auth-pam.c:pamconv(), add support for PAM_ERROR_MSG. Al...

...} - packet_send(); - packet_write_wait(); + free(*resp); + *resp = NULL; + return (PAM_CONV_ERR); +} +/* + * Child process. + */ +static void * +sshpam_child(struct sshpam_ctxt *ctxt) +{ + struct pam_conv conv = { sshpam_child_conv, ctxt }; + pam_handle_t *sshpamh; + int err; + + err = pam_start(SSHD_PAM_SERVICE, ctxt->user, &conv, &sshpamh); + if (err != PAM_SUCCESS) + goto auth_fail; + err = pam_authenticate(sshpamh, 0); + if (err != PAM_SUCCESS) + goto auth_fail; + err = pam_acct_mgmt(sshpamh, 0); + if (err != PAM_SUCCESS) + goto auth_fail; +#if 0 /* - * Grabbing control of execution an...

...} - packet_send(); - packet_write_wait(); + free(*resp); + *resp = NULL; + return (PAM_CONV_ERR); +} +/* + * Child process. + */ +static void * +sshpam_child(struct sshpam_ctxt *ctxt) +{ + struct pam_conv conv = { sshpam_child_conv, ctxt }; + pam_handle_t *sshpamh; + int err; + + err = pam_start(SSHD_PAM_SERVICE, ctxt->user, &conv, &sshpamh); + if (err != PAM_SUCCESS) + goto auth_fail; + err = pam_authenticate(sshpamh, 0); + if (err != PAM_SUCCESS) + goto auth_fail; + err = pam_acct_mgmt(sshpamh, 0); + if (err != PAM_SUCCESS) + goto auth_fail; +#if 0 /* - * Grabbing control of execution an...