diff --git a/auth-pam.c b/auth-pam.c index d64802371..2c1a8d3df 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -67,10 +67,6 @@ #include #endif -#if !defined(SSHD_PAM_SERVICE) -# define SSHD_PAM_SERVICE "sshd" -#endif - /* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */ #ifdef PAM_SUN_CODEBASE # define sshpam_const /* Solaris, HP-UX, SunOS */ @@ -693,6 +689,8 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt) const char **ptr_pam_user = &pam_user; int r; + if (options.pam_service_name == NULL) + fatal_f("internal error: NULL PAM service name"); #if defined(PAM_SUN_CODEBASE) && defined(PAM_MAX_RESP_SIZE) /* Protect buggy PAM implementations from excessively long usernames */ if (strlen(user) >= PAM_MAX_RESP_SIZE) @@ -714,9 +712,10 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt) pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; } - debug("PAM: initializing for \"%s\"", user); - sshpam_err = - pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle); + debug("PAM: initializing for \"%s\" with service \"%s\"", user, + options.pam_service_name); + sshpam_err = pam_start(options.pam_service_name, user, + &store_conv, &sshpam_handle); sshpam_authctxt = authctxt; if (sshpam_err != PAM_SUCCESS) { diff --git a/servconf.c b/servconf.c index 22afbeded..5b32f0bfc 100644 --- a/servconf.c +++ b/servconf.c @@ -69,6 +69,10 @@ #include "myproposal.h" #include "digest.h" +#if !defined(SSHD_PAM_SERVICE) +# define SSHD_PAM_SERVICE "sshd" +#endif + static void add_listen_addr(ServerOptions *, const char *, const char *, int); static void add_one_listen_addr(ServerOptions *, const char *, @@ -88,6 +92,7 @@ initialize_server_options(ServerOptions *options) /* Portable-specific options */ options->use_pam = -1; + options->pam_service_name = NULL; /* Standard Options */ options->num_ports = 0; @@ -291,6 +296,8 @@ fill_default_server_options(ServerOptions *options) /* Portable-specific options */ if (options->use_pam == -1) options->use_pam = 0; + if (options->pam_service_name == NULL) + options->pam_service_name = xstrdup(SSHD_PAM_SERVICE); /* Standard Options */ if (options->num_host_key_files == 0) { @@ -530,7 +537,7 @@ fill_default_server_options(ServerOptions *options) typedef enum { sBadOption, /* == unknown option */ /* Portable-specific options */ - sUsePAM, + sUsePAM, sPAMServiceName, /* Standard Options */ sPort, sHostKeyFile, sLoginGraceTime, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, @@ -583,8 +590,10 @@ static struct { /* Portable-specific options */ #ifdef USE_PAM { "usepam", sUsePAM, SSHCFG_GLOBAL }, + { "pamservicename", sPAMServiceName, SSHCFG_ALL }, #else { "usepam", sUnsupported, SSHCFG_GLOBAL }, + { "pamservicename", sUnsupported, SSHCFG_ALL }, #endif { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ @@ -1318,6 +1327,16 @@ process_server_config_line_depth(ServerOptions *options, char *line, case sUsePAM: intptr = &options->use_pam; goto parse_flag; + case sPAMServiceName: + charptr = &options->pam_service_name; + arg = argv_next(&ac, &av); + if (!arg || *arg == '\0') { + fatal("%s line %d: missing argument.", + filename, linenum); + } + if (*activep && *charptr == NULL) + *charptr = xstrdup(arg); + break; /* Standard Options */ case sBadOption: @@ -3128,6 +3147,7 @@ dump_config(ServerOptions *o) /* integer arguments */ #ifdef USE_PAM dump_cfg_fmtint(sUsePAM, o->use_pam); + dump_cfg_string(sPAMServiceName, o->pam_service_name); #endif dump_cfg_int(sLoginGraceTime, o->login_grace_time); dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); diff --git a/servconf.h b/servconf.h index 8984e9966..22b158d10 100644 --- a/servconf.h +++ b/servconf.h @@ -210,6 +210,7 @@ typedef struct { char *adm_forced_command; int use_pam; /* Enable auth via PAM */ + char *pam_service_name; int permit_tun; @@ -294,6 +295,7 @@ TAILQ_HEAD(include_list, include_item); M_CP_STROPT(ca_sign_algorithms); \ M_CP_STROPT(routing_domain); \ M_CP_STROPT(permit_user_env_allowlist); \ + M_CP_STROPT(pam_service_name); \ M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ M_CP_STRARRAYOPT(allow_users, num_allow_users); \ M_CP_STRARRAYOPT(deny_users, num_deny_users); \ diff --git a/sshd_config.5 b/sshd_config.5 index 11c341a9d..b228e905b 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -1368,10 +1368,17 @@ and key exchange methods. The default is .Pa /etc/moduli . +.It Cm PAMServiceName +Specifies the service name used for Pluggable Authentication Modules (PAM) +authentication, authorisation and session controls when +.Cm UsePAM +is enabled. +The default is +.Cm sshd . .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is -.Cm yes . +.Cm sshd . .It Cm PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings.