add a sshd_config PamServiceName option

Allows selecting which PAM service name to use when UsePAM is
enabled. Defaults to "sshd" unless overridden at compile time
by defining SSHD_PAM_SERVICE.

bz2102, ok dtucker@

diff --git a/auth-pam.c b/auth-pam.c
index d648023717a2929c8d488d676395482309948108..2c1a8d3df8dd6c8a4c8258af04da6c6d94731d08 100644 (file)
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -67,10 +67,6 @@
 #include <pam/pam_appl.h>
 #endif
 
-#if !defined(SSHD_PAM_SERVICE)
-# define SSHD_PAM_SERVICE              "sshd"
-#endif
-
 /* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */
 #ifdef PAM_SUN_CODEBASE
 # define sshpam_const          /* Solaris, HP-UX, SunOS */
@@ -693,6 +689,8 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
        const char **ptr_pam_user = &pam_user;
        int r;
 
+       if (options.pam_service_name == NULL)
+               fatal_f("internal error: NULL PAM service name");
 #if defined(PAM_SUN_CODEBASE) && defined(PAM_MAX_RESP_SIZE)
        /* Protect buggy PAM implementations from excessively long usernames */
        if (strlen(user) >= PAM_MAX_RESP_SIZE)
@@ -714,9 +712,10 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
                pam_end(sshpam_handle, sshpam_err);
                sshpam_handle = NULL;
        }
-       debug("PAM: initializing for \"%s\"", user);
-       sshpam_err =
-           pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
+       debug("PAM: initializing for \"%s\" with service \"%s\"", user,
+           options.pam_service_name);
+       sshpam_err = pam_start(options.pam_service_name, user,
+           &store_conv, &sshpam_handle);
        sshpam_authctxt = authctxt;
 
        if (sshpam_err != PAM_SUCCESS) {

diff --git a/servconf.c b/servconf.c
index 22afbededdfef23366e61ab008377a0da1be0a02..5b32f0bfc8db6237f71d0805209eff3d8aaae6e0 100644 (file)
--- a/servconf.c
+++ b/servconf.c
@@ -69,6 +69,10 @@
 #include "myproposal.h"
 #include "digest.h"
 
+#if !defined(SSHD_PAM_SERVICE)
+# define SSHD_PAM_SERVICE              "sshd"
+#endif
+
 static void add_listen_addr(ServerOptions *, const char *,
     const char *, int);
 static void add_one_listen_addr(ServerOptions *, const char *,
@@ -88,6 +92,7 @@ initialize_server_options(ServerOptions *options)
 
        /* Portable-specific options */
        options->use_pam = -1;
+       options->pam_service_name = NULL;
 
        /* Standard Options */
        options->num_ports = 0;
@@ -291,6 +296,8 @@ fill_default_server_options(ServerOptions *options)
        /* Portable-specific options */
        if (options->use_pam == -1)
                options->use_pam = 0;
+       if (options->pam_service_name == NULL)
+               options->pam_service_name = xstrdup(SSHD_PAM_SERVICE);
 
        /* Standard Options */
        if (options->num_host_key_files == 0) {
@@ -530,7 +537,7 @@ fill_default_server_options(ServerOptions *options)
 typedef enum {
        sBadOption,             /* == unknown option */
        /* Portable-specific options */
-       sUsePAM,
+       sUsePAM, sPAMServiceName,
        /* Standard Options */
        sPort, sHostKeyFile, sLoginGraceTime,
        sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
@@ -583,8 +590,10 @@ static struct {
        /* Portable-specific options */
 #ifdef USE_PAM
        { "usepam", sUsePAM, SSHCFG_GLOBAL },
+       { "pamservicename", sPAMServiceName, SSHCFG_ALL },
 #else
        { "usepam", sUnsupported, SSHCFG_GLOBAL },
+       { "pamservicename", sUnsupported, SSHCFG_ALL },
 #endif
        { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
        /* Standard Options */
@@ -1318,6 +1327,16 @@ process_server_config_line_depth(ServerOptions *options, char *line,
        case sUsePAM:
                intptr = &options->use_pam;
                goto parse_flag;
+       case sPAMServiceName:
+               charptr = &options->pam_service_name;
+               arg = argv_next(&ac, &av);
+               if (!arg || *arg == '\0') {
+                       fatal("%s line %d: missing argument.",
+                           filename, linenum);
+               }
+               if (*activep && *charptr == NULL)
+                       *charptr = xstrdup(arg);
+               break;
 
        /* Standard Options */
        case sBadOption:
@@ -3128,6 +3147,7 @@ dump_config(ServerOptions *o)
        /* integer arguments */
 #ifdef USE_PAM
        dump_cfg_fmtint(sUsePAM, o->use_pam);
+       dump_cfg_string(sPAMServiceName, o->pam_service_name);
 #endif
        dump_cfg_int(sLoginGraceTime, o->login_grace_time);
        dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);

diff --git a/servconf.h b/servconf.h
index 8984e99661e72cae2f605a88e3739e1cd5580d73..22b158d1057c8c74db99336df2ad190678740ef3 100644 (file)
--- a/servconf.h
+++ b/servconf.h
@@ -210,6 +210,7 @@ typedef struct {
        char   *adm_forced_command;
 
        int     use_pam;                /* Enable auth via PAM */
+       char   *pam_service_name;
 
        int     permit_tun;
 
@@ -294,6 +295,7 @@ TAILQ_HEAD(include_list, include_item);
                M_CP_STROPT(ca_sign_algorithms); \
                M_CP_STROPT(routing_domain); \
                M_CP_STROPT(permit_user_env_allowlist); \
+               M_CP_STROPT(pam_service_name); \
                M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
                M_CP_STRARRAYOPT(allow_users, num_allow_users); \
                M_CP_STRARRAYOPT(deny_users, num_deny_users); \

diff --git a/sshd_config.5 b/sshd_config.5
index 11c341a9dbab039b1cc6a4042991dba3ab6680d9..b228e905b0b30d62ac37fb7f1325c2e53e10d4be 100644 (file)
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1368,10 +1368,17 @@ and
 key exchange methods.
 The default is
 .Pa /etc/moduli .
+.It Cm PAMServiceName
+Specifies the service name used for Pluggable Authentication Modules (PAM)
+authentication, authorisation and session controls when
+.Cm UsePAM
+is enabled.
+The default is
+.Cm sshd .
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
 The default is
-.Cm yes .
+.Cm sshd .
 .It Cm PermitEmptyPasswords
 When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.