https://bugzilla.mindrot.org/show_bug.cgi?id=2246
--- Comment #2 from [email protected] --- Thank you for the evaluation and suggestion. I would like to confirm with you for the following three items: 1) PAMServiceName sshd-%m I interpreted your suggestion for this option as following: The value of the PAMServiceName option can be specified as "service_name" or "service_name-%m" a) PAMServiceName service_name Only one PAM service for all user authentications with "service_name" as the PAM service name. b) PAMServiceName service_name-%m An administrator can use this option for SSHv2, so that each userauth type has it own PAM service name. For example, if "PAMServiceName sshd-%m" is specified, then the pam service name will be expanded to sshd-password, ssh-kbdint, sshd-pubkey, sshd-hostbased and sshd-gssapi respectively for the password, keyboard-interactive, pubkey, hostbased and gssapi-with-mic authauth methods. This applies to SSH protocol 2 only. c) If the "PAMServiceName" option is not specified in the sshd_config file, then it defaults to "PAMServiceName sshd", which means that there is only one PAM service and the server name is "sshd". Note that this matches the current OpenSSH default behavior. Is my interpretation correct ? 2) The PAM state problem in the proposed patch You are right that there may be some state problems in the case of "each SSHv2 userauth method has its own PAM service name" situation. Although the PAM service will be invoked many times in this case, they are invoked sequentially and there will be always only one pam_handle at any moment. Therefore, we can resolve this problem by cleaning up PAM stuff, calling pam_end(), before invoking a new PAM service. And the PAM state can be stored in the those static variables in auth-pam.c. for examples, static pam_handle_t *sshpam_handle = NULL; static int sshpam_err = 0; static int sshpam_authenticated = 0; static int sshpam_account_status = -1; static char **sshpam_env = NULL; 3) The pam_acct_mgmt problem in the patch While checking into the state problem, I also found another problem in the patch. The pam_acct_mgmt() should be called also for each userauth method if each userauth method has its own PAM service. I will fix this problem and submit another patch later. Note that pam_setcred() and pam_open_session() do not need to be called for each userauth method. They can be called after all the userauth methods are processed, as long as there is a valid pam_handle. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
