[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#255870: ssh: defining SSHD_PAM_SERVICE breaks ability to set PAM service

On Wed, 2004-06-23 at 13:34, Matthew Vernon wrote:
> Is there a reason you couldn't symlink the PAM config file if
> necessary? 

Err, perhaps I didn't describe the problem well enough. Normally when
you compile openssh without SSHD_PAM_SERVICE defined, it uses the name
of the program (basename of argv[0]) as the pam service. This allows you
to do something like make a symlink to the binary with a different name
and use that as the pam service.

e.g.:

# ln -s /usr/sbin/sshd /usr/sbin/sshd-opie

...and then have a pam stack in...

/etc/pam.d/sshd-opie

The problem is that when SSHD_PAM_SERVICE is defined at compile time, it
always uses that as the pam service regardless of what the binary is
named. This means that you're limited to a single pam stack for ssh
regardless of how many ssh daemons you run on the box.

IMHO, it would be best if this was settable via sshd_config, but the
OpenSSH team doesn't seem receptive to the idea, as they want to keep
changes between the official and portability releases to a bare minimum.

The way to fix this would be to not define SSHD_PAM_SERVICE at compile
time (remove it from CFLAGS), and then rename the file in /etc/pam.d to
'sshd' instead of 'ssh'.

Thoughts?
-- 
Jeff Layton <jtlayton@poochiereds.net>
Reply to: