This is a discussion on Re: Is it possible to avoid PAM calls for key based Auth methods - openssh ; On Wed, Feb 16, 2005 at 02:03:07PM +1100, Darren Tucker wrote: > Nicolas Williams wrote: > >You really don't want to do this as this means making modules aware of > >ssh protocol specific details just so you can configure ...
On Wed, Feb 16, 2005 at 02:03:07PM +1100, Darren Tucker wrote:
> Nicolas Williams wrote:
> >You really don't want to do this as this means making modules aware of
> >ssh protocol specific details just so you can configure each ssh
> >authentication method differently.
> Yeah, but not being responsible for the PAM stacks I don't care so much
> about that :-) Seriously, this just points out how limited the PAM
> configuration mechanism is.
I don't agree.
> >>- sshd could use different PAM service names for the different auth
> >>types. (eg "sshd-public-key", "sshd-password", "sshd-gssapi-with-mic"
> >> and fall back to "sshd" if these don't exists. This would probably be
> >>tricky to write because you'd have to stop and start PAM for each auth
> >Solaris 10's sshd does this. See:
> Will it attempt to fall back to "sshd" if the specific PAM service does
> not exist (or do you just end up with "other")?
PAM doesn't provide a way to detect what services are configured, so it
falls back on "other."
> >The service names it uses are:
> > - sshd-none
> > - sshd-password
> > - sshd-kbdint
> > - sshd-pubkey
> > - sshd-hostbased
> > - sshd-gssapi (for both, gssapi-keyex and gssapi-with-mic)
> >You might want to use those too...
> Those do not agree with the defaults in the ssh_config(4) man page (at
> least the one online at
sshd_config(4)'s reference to "PamSvcFor*" is incorrect. A man page bug
was filed recently about this. See sshd(1M) instead:
> (On an unrelated note I see MaxAuthTries and MaxAuthTriesLog are still
Indeed. I'll file a bug report.
openssh-unix-dev mailing list