https://bugzilla.mindrot.org/show_bug.cgi?id=2980
--- Comment #1 from Eric Price <[email protected]> --- I did some digging in the bug database and the dev mailing list. Looks like I'm not the first person in need of that feature. A first implementation was first suggested on the dev mailinglist 2 decades ago: https://marc.info/?l=openssh-unix-dev&m=95840880026194&w=2 with code provided and a configurable flag PAMService in sshd_config This was in OpenSSH 1.1, so no support for multiple AuthMethods, and no support for Match directives, since OpenSSH didn't have that yet. -- There was no followup discussion on the mailing list and the patch was never included in the codebase. Then there is a bug from 2015 https://bugzilla.mindrot.org/show_bug.cgi?id=2102 with multiple implementations which has been marked as a duplicate of https://bugzilla.mindrot.org/show_bug.cgi?id=2246 This implemnentation takes a different route and assigns a prefix with a suffix for every single auth mechanism - including those that do not even use PAM for the auth procedure but only for session and account maintenance. IMHO that is overkill, and lead to a interesting discussion of using macros in the arguments. Several implementations of this exist on both mailinglist and attachments, but again none of them were implemented, the bug is still open. I would request to not mark this bug as a duplicate, as the approach to solving the problem (not necessarily its implementation) is IMHO superior to the macro approach. The generalized approach is: - Use a generic PAMServiceName for the pam session for (account) and (session) Use authentication method specific overrides only for (auth) and only for authentication methods that are actually PAM based. AFAIK at the moment only ChallengeResponse/KeyboardInteractive and PasswordAuthentication use PAM for auth, so a single additional flag would be sufficient at the moment to distinguish these cases. This is also necessary due to the difference in capabilities (interactive versus dumbfired) Other authentication methods, such as keybased or kerberos only use PAM for account and session management after authentication succeeded (if UsePAM is true) if in the future additional PAM (auth) based variants get added, they could introduce their own configuration flags to override PAMServiceName as needed - possibly in the form of <AuthMethodName>PAMServiceName Most importantly this does not conflict with the cases in which the login procedure requests multiple authentication methods in series, as obviously only one pam service can be responsible for session management after all of them succeeded. Does this make sense? -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
