Changing PAM service name in sshd_config, or running sshd as non-root

Discussion:

Michael Tokarev

2003-03-26 16:25:25 UTC

Currently, openssh's PAM service name is a compile-time choice.
That's fine when one uses one sshd to serve normal shell logins
and the like. But this will not work IF sshd is nor run as
root (which I don't want it to do), because pam_open_session
usually requires access to one's shadow information (for account
expiration perhaps?), and there is no way (and need: this sshd
is installed to handle a specific task (or a set of tasks, really),
where NO pam work is needed at all - to only allow port forwarding
for several authorized (via keys) parties, something like tunnels -
just to give an example) to give this information to a non-root
process. So, sshd fails:

debug1: ssh_rsa_verify: signature correct
PAM rejected by account configuration[9]: Authentication service cannot retrieve authentication info.
Accepted publickey for mjt from 127.0.0.1 port 1101 ssh2
Failed publickey for mjt from 127.0.0.1 port 1101 ssh2

(note the order of messages - PAM failure first, pubkey acceptance
is second).

So, that to say - why there is no e.g. PamServiceName configuration
option in sshd_config?

Thanks.

/mjt

Jim Knoble

2003-03-26 20:20:16 UTC

Permalink

Circa 2003-03-26 19:25:25 +0300 dixit Michael Tokarev:

: Currently, openssh's PAM service name is a compile-time choice.

[...]

: So, that to say - why there is no e.g. PamServiceName configuration
: option in sshd_config?

There is one, it's just called something different:

ln -s /path/to/sshd /path/to/your-favorite-ssh-service-name

OpenSSH's sshd uses the basename of argv[0] as the service name, as you
would know if you were to read the INSTALL file that accompanies
OpenSSH-3.5p1.

--
jim knoble | ***@pobox.com | http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
Stop the War on Freedom ... Start the War on Poverty!

Michael Tokarev

2003-04-04 14:13:39 UTC

Permalink

Post by Jim Knoble
: Currently, openssh's PAM service name is a compile-time choice.
[...]
: So, that to say - why there is no e.g. PamServiceName configuration
: option in sshd_config?
ln -s /path/to/sshd /path/to/your-favorite-ssh-service-name
OpenSSH's sshd uses the basename of argv[0] as the service name, as you
would know if you were to read the INSTALL file that accompanies
OpenSSH-3.5p1.

In my /etc/pam.d/, there is no file named `sshd', but there is a file
`ssh' (without trailing `d'). Yet sshd works.

Well, that's may be due to the fact that I use openssh that comes with
debian woody, i.e. openssh-3.4p1.

Either way, it would be much more reliable if sshd will use e.g.
PamServiceName from sshd_config.

/mjt

Jim Knoble

2003-04-04 20:43:13 UTC

Permalink

Circa 2003-04-04 18:13:39 +0400 dixit Michael Tokarev:

: Jim Knoble wrote:
: >OpenSSH's sshd uses the basename of argv[0] as the service name, as you
: >would know if you were to read the INSTALL file that accompanies
: >OpenSSH-3.5p1.
:
: In my /etc/pam.d/, there is no file named `sshd', but there is a file
: `ssh' (without trailing `d'). Yet sshd works.

Are you sure the file is not misnamed, and that sshd isn't falling
through to another service, such as /etc/pam.d/other?

: Well, that's may be due to the fact that I use openssh that comes with
: debian woody, i.e. openssh-3.4p1.

Then perhaps you should complain to the maintainer of the Debian
package. Or perhaps you should unpack the source of the Debian package
and analyze it yourself. If you're using anything except the source
from ftp.openssh.com that you compiled yourself, then you should first
contact the maintainer of your pre-compiled OpenSSH rather than
complaining here. We have no way of knowing what subtle changes the
Debian maintainer---or anyone else---has wrought in their prebuilt
packages.

: Either way, it would be much more reliable if sshd will use e.g.
: PamServiceName from sshd_config.

No. It would be much more reliable if system integrators didn't change
the behavior of the software they package in subtle and mutually
incompatible ways. See http://cr.yp.to/compatibility.html .

--
jim knoble | ***@pobox.com | http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
Stop the War on Freedom ... Start the War on Poverty!

pod

2003-04-07 11:01:02 UTC

Permalink

JK> Are you sure the file is not misnamed, and that sshd isn't falling
JK> through to another service, such as /etc/pam.d/other?

The debian woody binary package 3.4p1-1 is built with CFLAGS that include
-DSSHD_PAM_SERVICE="ssh". Doing this hardwires the PAM service name and
it can no longer be changed by changing argv[0].

Markus Friedl

2003-04-07 11:19:09 UTC

Permalink

Post by pod
JK> Are you sure the file is not misnamed, and that sshd isn't falling
JK> through to another service, such as /etc/pam.d/other?
The debian woody binary package 3.4p1-1 is built with CFLAGS that include
-DSSHD_PAM_SERVICE="ssh". Doing this hardwires the PAM service name and
it can no longer be changed by changing argv[0].

hm, then your vendor should fix this problem.....