I have created patches to allow for a configurable PAM service
name. I use this with the ListenAddress configuration parameters,
along with ipaliasing and firewall blocking, to force a SecurID
authentication on remote connections but still allow for "normal"
access internally.
If anyone is interested, here they are:
Index: auth-pam.c
===================================================================
RCS file: /u/itsrc/cvs/security/openssh/auth-pam.c,v
retrieving revision 1.1.1.3
retrieving revision 1.1.1.3.2.1
diff -u -r1.1.1.3 -r1.1.1.3.2.1
--- auth-pam.c 2000/05/11 21:28:36 1.1.1.3
+++ auth-pam.c 2000/05/13 17:33:09 1.1.1.3.2.1
@@ -211,11 +211,12 @@
/* Start PAM authentication for specified account */
void start_pam(struct passwd *pw)
{
+ extern ServerOptions options;
int pam_retval;
- debug("Starting up PAM with username \"%.200s\"", pw->pw_name);
+ debug("Starting up PAM with service \"%s\" and username \"%.200s\"", options.pam_service, pw->pw_name);
- pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv,
+ pam_retval = pam_start(options.pam_service, pw->pw_name, &conv,
(pam_handle_t**)&pamh);
if (pam_retval != PAM_SUCCESS)
fatal("PAM initialisation failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
Index: servconf.c
===================================================================
RCS file: /u/itsrc/cvs/security/openssh/servconf.c,v
retrieving revision 1.1.1.3
retrieving revision 1.1.1.3.2.1
diff -u -r1.1.1.3 -r1.1.1.3.2.1
--- servconf.c 2000/05/11 21:28:52 1.1.1.3
+++ servconf.c 2000/05/13 17:33:09 1.1.1.3.2.1
@@ -34,6 +34,7 @@
options->host_key_file = NULL;
options->host_dsa_key_file = NULL;
options->pid_file = NULL;
+ options->pam_service = NULL;
options->server_key_bits = -1;
options->login_grace_time = -1;
options->key_regeneration_time = -1;
@@ -89,6 +90,8 @@
options->host_dsa_key_file = HOST_DSA_KEY_FILE;
if (options->pid_file == NULL)
options->pid_file = SSH_DAEMON_PID_FILE;
+ if (options->pam_service == NULL)
+ options->pam_service = SSHD_PAM_SERVICE;
if (options->server_key_bits == -1)
options->server_key_bits = 768;
if (options->login_grace_time == -1)
@@ -177,7 +180,7 @@
sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
- sGatewayPorts, sDSAAuthentication
+ sPAMService, sGatewayPorts, sDSAAuthentication
} ServerOpCodes;
/* Textual representation of the tokens. */
@@ -189,6 +192,7 @@
{ "hostkey", sHostKeyFile },
{ "hostdsakey", sHostDSAKeyFile },
{ "pidfile", sPidFile },
+ { "pamservice", sPAMService },
{ "serverkeybits", sServerKeyBits },
{ "logingracetime", sLoginGraceTime },
{ "keyregenerationinterval", sKeyRegenerationTime },
@@ -385,6 +389,18 @@
}
if (*charptr == NULL)
*charptr = tilde_expand_filename(cp, getuid());
+ break;
+
+ case sPAMService:
+ charptr = &options->pam_service;
+ cp = strtok(NULL, WHITESPACE);
+ if (!cp) {
+ fprintf(stderr, "%s line %d: missing PAM service name.\n",
+ filename, linenum);
+ exit(1);
+ }
+ if (*charptr == NULL)
+ *charptr = xstrdup(cp);
break;
case sRandomSeedFile:
Index: servconf.h
===================================================================
RCS file: /u/itsrc/cvs/security/openssh/servconf.h,v
retrieving revision 1.1.1.2
retrieving revision 1.1.1.2.2.1
diff -u -r1.1.1.2 -r1.1.1.2.2.1
--- servconf.h 2000/05/11 21:28:53 1.1.1.2
+++ servconf.h 2000/05/13 17:33:10 1.1.1.2.2.1
@@ -34,6 +34,7 @@
char *host_key_file; /* File containing host key. */
char *host_dsa_key_file; /* File containing dsa host key. */
char *pid_file; /* Where to put our pid */
+ char *pam_service; /* Service name for PAM */
int server_key_bits;/* Size of the server key. */
int login_grace_time; /* Disconnect if no auth in this time
* (sec). */
name. I use this with the ListenAddress configuration parameters,
along with ipaliasing and firewall blocking, to force a SecurID
authentication on remote connections but still allow for "normal"
access internally.
If anyone is interested, here they are:
Index: auth-pam.c
===================================================================
RCS file: /u/itsrc/cvs/security/openssh/auth-pam.c,v
retrieving revision 1.1.1.3
retrieving revision 1.1.1.3.2.1
diff -u -r1.1.1.3 -r1.1.1.3.2.1
--- auth-pam.c 2000/05/11 21:28:36 1.1.1.3
+++ auth-pam.c 2000/05/13 17:33:09 1.1.1.3.2.1
@@ -211,11 +211,12 @@
/* Start PAM authentication for specified account */
void start_pam(struct passwd *pw)
{
+ extern ServerOptions options;
int pam_retval;
- debug("Starting up PAM with username \"%.200s\"", pw->pw_name);
+ debug("Starting up PAM with service \"%s\" and username \"%.200s\"", options.pam_service, pw->pw_name);
- pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv,
+ pam_retval = pam_start(options.pam_service, pw->pw_name, &conv,
(pam_handle_t**)&pamh);
if (pam_retval != PAM_SUCCESS)
fatal("PAM initialisation failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
Index: servconf.c
===================================================================
RCS file: /u/itsrc/cvs/security/openssh/servconf.c,v
retrieving revision 1.1.1.3
retrieving revision 1.1.1.3.2.1
diff -u -r1.1.1.3 -r1.1.1.3.2.1
--- servconf.c 2000/05/11 21:28:52 1.1.1.3
+++ servconf.c 2000/05/13 17:33:09 1.1.1.3.2.1
@@ -34,6 +34,7 @@
options->host_key_file = NULL;
options->host_dsa_key_file = NULL;
options->pid_file = NULL;
+ options->pam_service = NULL;
options->server_key_bits = -1;
options->login_grace_time = -1;
options->key_regeneration_time = -1;
@@ -89,6 +90,8 @@
options->host_dsa_key_file = HOST_DSA_KEY_FILE;
if (options->pid_file == NULL)
options->pid_file = SSH_DAEMON_PID_FILE;
+ if (options->pam_service == NULL)
+ options->pam_service = SSHD_PAM_SERVICE;
if (options->server_key_bits == -1)
options->server_key_bits = 768;
if (options->login_grace_time == -1)
@@ -177,7 +180,7 @@
sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
- sGatewayPorts, sDSAAuthentication
+ sPAMService, sGatewayPorts, sDSAAuthentication
} ServerOpCodes;
/* Textual representation of the tokens. */
@@ -189,6 +192,7 @@
{ "hostkey", sHostKeyFile },
{ "hostdsakey", sHostDSAKeyFile },
{ "pidfile", sPidFile },
+ { "pamservice", sPAMService },
{ "serverkeybits", sServerKeyBits },
{ "logingracetime", sLoginGraceTime },
{ "keyregenerationinterval", sKeyRegenerationTime },
@@ -385,6 +389,18 @@
}
if (*charptr == NULL)
*charptr = tilde_expand_filename(cp, getuid());
+ break;
+
+ case sPAMService:
+ charptr = &options->pam_service;
+ cp = strtok(NULL, WHITESPACE);
+ if (!cp) {
+ fprintf(stderr, "%s line %d: missing PAM service name.\n",
+ filename, linenum);
+ exit(1);
+ }
+ if (*charptr == NULL)
+ *charptr = xstrdup(cp);
break;
case sRandomSeedFile:
Index: servconf.h
===================================================================
RCS file: /u/itsrc/cvs/security/openssh/servconf.h,v
retrieving revision 1.1.1.2
retrieving revision 1.1.1.2.2.1
diff -u -r1.1.1.2 -r1.1.1.2.2.1
--- servconf.h 2000/05/11 21:28:53 1.1.1.2
+++ servconf.h 2000/05/13 17:33:10 1.1.1.2.2.1
@@ -34,6 +34,7 @@
char *host_key_file; /* File containing host key. */
char *host_dsa_key_file; /* File containing dsa host key. */
char *pid_file; /* Where to put our pid */
+ char *pam_service; /* Service name for PAM */
int server_key_bits;/* Size of the server key. */
int login_grace_time; /* Disconnect if no auth in this time
* (sec). */