Bug#255870: ssh: defining SSHD_PAM_SERVICE breaks ability to set PAM service
On Wed, 2004-06-23 at 13:34, Matthew Vernon wrote:
> Is there a reason you couldn't symlink the PAM config file if
> necessary?
Err, perhaps I didn't describe the problem well enough. Normally when
you compile openssh without SSHD_PAM_SERVICE defined, it uses the name
of the program (basename of argv[0]) as the pam service. This allows you
to do something like make a symlink to the binary with a different name
and use that as the pam service.
e.g.:
# ln -s /usr/sbin/sshd /usr/sbin/sshd-opie
...and then have a pam stack in...
/etc/pam.d/sshd-opie
The problem is that when SSHD_PAM_SERVICE is defined at compile time, it
always uses that as the pam service regardless of what the binary is
named. This means that you're limited to a single pam stack for ssh
regardless of how many ssh daemons you run on the box.
IMHO, it would be best if this was settable via sshd_config, but the
OpenSSH team doesn't seem receptive to the idea, as they want to keep
changes between the official and portability releases to a bare minimum.
The way to fix this would be to not define SSHD_PAM_SERVICE at compile
time (remove it from CFLAGS), and then rename the file in /etc/pam.d to
'sshd' instead of 'ssh'.
Thoughts?
--
Jeff Layton <jtlayton@poochiereds.net>
Reply to: