similar to: [Bug 2246] New: PAM enhancements for OpenSSH server

https://bugzilla.mindrot.org/show_bug.cgi?id=2102 Bug ID: 2102 Summary: [PATCH] Specify PAM Service name in sshd_config Classification: Unclassified Product: Portable OpenSSH Version: 6.2p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: PAM support

I append a patch against openssh-3.5p1.tar.gz which adds a config option PAMServiceName. The option allows one to specify the PAM service at runtime in the config file rather than using __progname or having it hardwired to SSHD_PAM_SERVICE at compile time. I expect this to be useful if one wants to run multiple instances of sshd using different PAM configurations. With this patch

Any chance PAMServiceName could be added as a Match option? It would be great to have a different PAM config (MFA, etc.) based on source address. -- Carson

Hello All, The attached patch allows openssh to specify which pam service name to authenticate users against by specifying the PAMServiceName attribute in the sshd_config file. Because the parameter can be included in the Match directive sections, it allows different authentication based on the Match directive. In our case, we use it to allow different levels of authentication based on the

http://www.mindrot.org/~djm/openssh/openssh-newpam-20030123.tar.gz Is a snapshot of the new PAM-via-KbdInt authentication support from FreeBSD's OpenSSH tree. Please test this now. I can only surmise by the silence that has greeted my previous requests for testing that the code works perfectly. -d

I'm writing a PAM module to do authentication through Signal (as in Open Whisper Systems) [1]. I would like to be able to offer (Public key AND Signal) or (Password AND Signal) for authentication. This suggests setting AuthenticationMethods to publickey,keyboard-interactive:pam password,keyboard-interactive:pam However, when PAM is enabled "password" means "show password

Ok, so, things are complicated. The PAM standard insists on password aging being done after account authorization, which comes after user authentication. Kerberos can't authenticate users whose passwords are expired. So PAM_KRB5 implementations tend to return PAM_SUCCESS from pam_krb5:pam_sm_authenticate() and arrange for pam_krb5:pam_sm_acct_mgmt() to return PAM_NEW_AUTHTOK_REQD, as

Currently, openssh's PAM service name is a compile-time choice. That's fine when one uses one sshd to serve normal shell logins and the like. But this will not work IF sshd is nor run as root (which I don't want it to do), because pam_open_session usually requires access to one's shadow information (for account expiration perhaps?), and there is no way (and need: this sshd is

It's sometimes desired to be able to alter login policy depending upon how the person was connecting for the ssh server. For example you might want different rules on the internal and external interface of a gateway. In another setup you might want an sshd with a different login policy running on a different port - and setup different firewalling rules (for example). I have implemented such

On 12/11/2024 12:39, anctop wrote: > It seems that release 9.9p1 does not use the binary filename as the > PAM service name, but sticks to "sshd" for all instances. man sshd_config: ???? PAMServiceName ???????????? Specifies the service name used for Pluggable Authentication Modules (PAM) authentication, authorisation and session controls when ???????????? UsePAM is

Hi, Many thanks for your prompt answer. We overlooked this new option because it was not available in the 9.3p1 config. On Tue, 12 Nov 2024 at 20:52, Brian Candler <b.candler at pobox.com> wrote: > > On 12/11/2024 12:39, anctop wrote: > > It seems that release 9.9p1 does not use the binary filename as the > PAM service name, but sticks to "sshd" for all

I configure as follows: ./configure --with-zlib=/usr/local/include cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o

hello, little problem compiling openssh 4.6p1 on irix using mipspro 7.4.x. c99 -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o

I have been trying to install 3.4p1 on a number of machines. Servers on ia64 Linux, i386 Linux and SPARC Solaris are all working like charms. On the other hand, I am having trouble at least with HPUX 11, DEC OSF 5.1 and Unixware: on all those systems, sshd bails out after authentication with an error in buffer_append_space. Here is the output of sshd -d on the UnixWare machine (uname -a:

On Sat, 19 Apr 2025 at 14:44, Damien Miller <djm at mindrot.org> wrote: > On Thu, 17 Apr 2025, Yu, Mingli wrote: > [...] > > I'm using openssh 9.9p2 and have defined the below logic into > /etc/pam.d/sshd. > > session required pam_env.so > > > > But the environment variables defined in /etc/environment file are not > > effective when login via ssh.

Currently, have "session required pam_env.so debug" in /etc/pam.d/sshd and "UsePAM yes" in /etc/ssh/sshd_config. After restart sshd service and ssh from 192.168.7.3 as below: # ssh root at 192.168.7.4 # echo $PATH /usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin And still didn't the expected PATH. on 192.168.7.4, # tail -f /var/log/auth.log

https://bugzilla.mindrot.org/show_bug.cgi?id=2242 Bug ID: 2242 Summary: add DisableBanner option to the ssh client command Product: Portable OpenSSH Version: 6.6p1 Hardware: Sparc OS: Solaris Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee:

Hi all, If you take a look at the service.rb file in the win32-service repository (the new one in the toplevel repository path), I''ve got this bit of code, which succeeds, but I can''t seem to unpack the data structure properly. Did I pack it wrong to begin with? I should know this but I''m spacing out. proc_status =

Please pardon any user idiocy involved, but I applied the OpenBSD 3.4 patch to the 3.9 sources on both my i386 and sparc64 OpenBSD 3.4 boxes, and get the same error: cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o uidswap.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o

Thanks for the pointer! I played around with PamServiceName set to 'sshd_disable_auth' and got it working with the minimum contents below in the file /etc/pam.d/sshd_disable_auth. auth required pam_permit.so account required pam_permit.so session required pam_permit.so Thus, this does indeed enable disabling authentication. Unfortunately, as far as I can tell, only root can create files