add a sshd_config PamServiceName option

Allows selecting which PAM service name to use when UsePAM is
enabled. Defaults to "sshd" unless overridden at compile time
by defining SSHD_PAM_SERVICE.

bz2102, ok dtucker@
This commit is contained in:
Damien Miller 2024-06-14 14:19:23 +10:00
parent 9f032a4dd1
commit b2c64bc170
No known key found for this signature in database
4 changed files with 37 additions and 9 deletions

View File

@ -67,10 +67,6 @@
#include <pam/pam_appl.h>
#endif
#if !defined(SSHD_PAM_SERVICE)
# define SSHD_PAM_SERVICE "sshd"
#endif
/* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */
#ifdef PAM_SUN_CODEBASE
# define sshpam_const /* Solaris, HP-UX, SunOS */
@ -693,6 +689,8 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
const char **ptr_pam_user = &pam_user;
int r;
if (options.pam_service_name == NULL)
fatal_f("internal error: NULL PAM service name");
#if defined(PAM_SUN_CODEBASE) && defined(PAM_MAX_RESP_SIZE)
/* Protect buggy PAM implementations from excessively long usernames */
if (strlen(user) >= PAM_MAX_RESP_SIZE)
@ -714,9 +712,10 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
pam_end(sshpam_handle, sshpam_err);
sshpam_handle = NULL;
}
debug("PAM: initializing for \"%s\"", user);
sshpam_err =
pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
debug("PAM: initializing for \"%s\" with service \"%s\"", user,
options.pam_service_name);
sshpam_err = pam_start(options.pam_service_name, user,
&store_conv, &sshpam_handle);
sshpam_authctxt = authctxt;
if (sshpam_err != PAM_SUCCESS) {

View File

@ -69,6 +69,10 @@
#include "myproposal.h"
#include "digest.h"
#if !defined(SSHD_PAM_SERVICE)
# define SSHD_PAM_SERVICE "sshd"
#endif
static void add_listen_addr(ServerOptions *, const char *,
const char *, int);
static void add_one_listen_addr(ServerOptions *, const char *,
@ -88,6 +92,7 @@ initialize_server_options(ServerOptions *options)
/* Portable-specific options */
options->use_pam = -1;
options->pam_service_name = NULL;
/* Standard Options */
options->num_ports = 0;
@ -291,6 +296,8 @@ fill_default_server_options(ServerOptions *options)
/* Portable-specific options */
if (options->use_pam == -1)
options->use_pam = 0;
if (options->pam_service_name == NULL)
options->pam_service_name = xstrdup(SSHD_PAM_SERVICE);
/* Standard Options */
if (options->num_host_key_files == 0) {
@ -530,7 +537,7 @@ fill_default_server_options(ServerOptions *options)
typedef enum {
sBadOption, /* == unknown option */
/* Portable-specific options */
sUsePAM,
sUsePAM, sPAMServiceName,
/* Standard Options */
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
@ -583,8 +590,10 @@ static struct {
/* Portable-specific options */
#ifdef USE_PAM
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
{ "pamservicename", sPAMServiceName, SSHCFG_ALL },
#else
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
{ "pamservicename", sUnsupported, SSHCFG_ALL },
#endif
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
/* Standard Options */
@ -1318,6 +1327,16 @@ process_server_config_line_depth(ServerOptions *options, char *line,
case sUsePAM:
intptr = &options->use_pam;
goto parse_flag;
case sPAMServiceName:
charptr = &options->pam_service_name;
arg = argv_next(&ac, &av);
if (!arg || *arg == '\0') {
fatal("%s line %d: missing argument.",
filename, linenum);
}
if (*activep && *charptr == NULL)
*charptr = xstrdup(arg);
break;
/* Standard Options */
case sBadOption:
@ -3128,6 +3147,7 @@ dump_config(ServerOptions *o)
/* integer arguments */
#ifdef USE_PAM
dump_cfg_fmtint(sUsePAM, o->use_pam);
dump_cfg_string(sPAMServiceName, o->pam_service_name);
#endif
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);

View File

@ -210,6 +210,7 @@ typedef struct {
char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
char *pam_service_name;
int permit_tun;
@ -294,6 +295,7 @@ TAILQ_HEAD(include_list, include_item);
M_CP_STROPT(ca_sign_algorithms); \
M_CP_STROPT(routing_domain); \
M_CP_STROPT(permit_user_env_allowlist); \
M_CP_STROPT(pam_service_name); \
M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
M_CP_STRARRAYOPT(allow_users, num_allow_users); \
M_CP_STRARRAYOPT(deny_users, num_deny_users); \

View File

@ -1368,10 +1368,17 @@ and
key exchange methods.
The default is
.Pa /etc/moduli .
.It Cm PAMServiceName
Specifies the service name used for Pluggable Authentication Modules (PAM)
authentication, authorisation and session controls when
.Cm UsePAM
is enabled.
The default is
.Cm sshd .
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
.Cm yes .
.Cm sshd .
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.