add a sshd_config PamServiceName option
Allows selecting which PAM service name to use when UsePAM is enabled. Defaults to "sshd" unless overridden at compile time by defining SSHD_PAM_SERVICE. bz2102, ok dtucker@
This commit is contained in:
Damien Miller
parent
9f032a4dd1
commit
b2c64bc170
13
auth-pam.c
13
auth-pam.c
|
|
@ -67,10 +67,6 @@
|
|||
#include <pam/pam_appl.h>
|
||||
#endif
|
||||
|
||||
#if !defined(SSHD_PAM_SERVICE)
|
||||
# define SSHD_PAM_SERVICE "sshd"
|
||||
#endif
|
||||
|
||||
/* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */
|
||||
#ifdef PAM_SUN_CODEBASE
|
||||
# define sshpam_const /* Solaris, HP-UX, SunOS */
|
||||
|
|
@ -693,6 +689,8 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
|
|||
const char **ptr_pam_user = &pam_user;
|
||||
int r;
|
||||
|
||||
if (options.pam_service_name == NULL)
|
||||
fatal_f("internal error: NULL PAM service name");
|
||||
#if defined(PAM_SUN_CODEBASE) && defined(PAM_MAX_RESP_SIZE)
|
||||
/* Protect buggy PAM implementations from excessively long usernames */
|
||||
if (strlen(user) >= PAM_MAX_RESP_SIZE)
|
||||
|
|
@ -714,9 +712,10 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
|
|||
pam_end(sshpam_handle, sshpam_err);
|
||||
sshpam_handle = NULL;
|
||||
}
|
||||
debug("PAM: initializing for \"%s\"", user);
|
||||
sshpam_err =
|
||||
pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
|
||||
debug("PAM: initializing for \"%s\" with service \"%s\"", user,
|
||||
options.pam_service_name);
|
||||
sshpam_err = pam_start(options.pam_service_name, user,
|
||||
&store_conv, &sshpam_handle);
|
||||
sshpam_authctxt = authctxt;
|
||||
|
||||
if (sshpam_err != PAM_SUCCESS) {
|
||||
|
|
|
|||
22
servconf.c
22
servconf.c
|
|
@ -69,6 +69,10 @@
|
|||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
|
||||
#if !defined(SSHD_PAM_SERVICE)
|
||||
# define SSHD_PAM_SERVICE "sshd"
|
||||
#endif
|
||||
|
||||
static void add_listen_addr(ServerOptions *, const char *,
|
||||
const char *, int);
|
||||
static void add_one_listen_addr(ServerOptions *, const char *,
|
||||
|
|
@ -88,6 +92,7 @@ initialize_server_options(ServerOptions *options)
|
|||
|
||||
/* Portable-specific options */
|
||||
options->use_pam = -1;
|
||||
options->pam_service_name = NULL;
|
||||
|
||||
/* Standard Options */
|
||||
options->num_ports = 0;
|
||||
|
|
@ -291,6 +296,8 @@ fill_default_server_options(ServerOptions *options)
|
|||
/* Portable-specific options */
|
||||
if (options->use_pam == -1)
|
||||
options->use_pam = 0;
|
||||
if (options->pam_service_name == NULL)
|
||||
options->pam_service_name = xstrdup(SSHD_PAM_SERVICE);
|
||||
|
||||
/* Standard Options */
|
||||
if (options->num_host_key_files == 0) {
|
||||
|
|
@ -530,7 +537,7 @@ fill_default_server_options(ServerOptions *options)
|
|||
typedef enum {
|
||||
sBadOption, /* == unknown option */
|
||||
/* Portable-specific options */
|
||||
sUsePAM,
|
||||
sUsePAM, sPAMServiceName,
|
||||
/* Standard Options */
|
||||
sPort, sHostKeyFile, sLoginGraceTime,
|
||||
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
||||
|
|
@ -583,8 +590,10 @@ static struct {
|
|||
/* Portable-specific options */
|
||||
#ifdef USE_PAM
|
||||
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
|
||||
{ "pamservicename", sPAMServiceName, SSHCFG_ALL },
|
||||
#else
|
||||
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "pamservicename", sUnsupported, SSHCFG_ALL },
|
||||
#endif
|
||||
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
|
||||
/* Standard Options */
|
||||
|
|
@ -1318,6 +1327,16 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
|||
case sUsePAM:
|
||||
intptr = &options->use_pam;
|
||||
goto parse_flag;
|
||||
case sPAMServiceName:
|
||||
charptr = &options->pam_service_name;
|
||||
arg = argv_next(&ac, &av);
|
||||
if (!arg || *arg == '\0') {
|
||||
fatal("%s line %d: missing argument.",
|
||||
filename, linenum);
|
||||
}
|
||||
if (*activep && *charptr == NULL)
|
||||
*charptr = xstrdup(arg);
|
||||
break;
|
||||
|
||||
/* Standard Options */
|
||||
case sBadOption:
|
||||
|
|
@ -3128,6 +3147,7 @@ dump_config(ServerOptions *o)
|
|||
/* integer arguments */
|
||||
#ifdef USE_PAM
|
||||
dump_cfg_fmtint(sUsePAM, o->use_pam);
|
||||
dump_cfg_string(sPAMServiceName, o->pam_service_name);
|
||||
#endif
|
||||
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
|
||||
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
|
||||
|
|
|
|||
|
|
@ -210,6 +210,7 @@ typedef struct {
|
|||
char *adm_forced_command;
|
||||
|
||||
int use_pam; /* Enable auth via PAM */
|
||||
char *pam_service_name;
|
||||
|
||||
int permit_tun;
|
||||
|
||||
|
|
@ -294,6 +295,7 @@ TAILQ_HEAD(include_list, include_item);
|
|||
M_CP_STROPT(ca_sign_algorithms); \
|
||||
M_CP_STROPT(routing_domain); \
|
||||
M_CP_STROPT(permit_user_env_allowlist); \
|
||||
M_CP_STROPT(pam_service_name); \
|
||||
M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
|
||||
M_CP_STRARRAYOPT(allow_users, num_allow_users); \
|
||||
M_CP_STRARRAYOPT(deny_users, num_deny_users); \
|
||||
|
|
|
|||
|
|
@ -1368,10 +1368,17 @@ and
|
|||
key exchange methods.
|
||||
The default is
|
||||
.Pa /etc/moduli .
|
||||
.It Cm PAMServiceName
|
||||
Specifies the service name used for Pluggable Authentication Modules (PAM)
|
||||
authentication, authorisation and session controls when
|
||||
.Cm UsePAM
|
||||
is enabled.
|
||||
The default is
|
||||
.Cm sshd .
|
||||
.It Cm PasswordAuthentication
|
||||
Specifies whether password authentication is allowed.
|
||||
The default is
|
||||
.Cm yes .
|
||||
.Cm sshd .
|
||||
.It Cm PermitEmptyPasswords
|
||||
When password authentication is allowed, it specifies whether the
|
||||
server allows login to accounts with empty password strings.
|
||||
|
|
|
|||
Loading…
Reference in New Issue