Does OpenSSH support setting PAM_AUSER - openssh

This is a discussion on Does OpenSSH support setting PAM_AUSER - openssh ; Hi All, I have Openssh "OpenSSH_5.1p1, OpenSSL 0.9.7d 17 Mar 2004" installed on machines which has the solaris10 as OS. I have a requirement to implement RBAC (Role Based Access Control) on my system. As part of RBAC, I have ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Does OpenSSH support setting PAM_AUSER

  1. Does OpenSSH support setting PAM_AUSER


    Hi All,

    I have Openssh "OpenSSH_5.1p1, OpenSSL 0.9.7d 17 Mar 2004" installed on
    machines which has the solaris10 as OS.

    I have a requirement to implement RBAC (Role Based Access Control) on my
    system.

    As part of RBAC, I have to provide remote role2role login feature (For
    more details:
    http://bugs.opensolaris.org/view_bug...b6bd564e843af4
    907bd1?bug_id=6213280

    http://opensolaris.org/jive/thread.j...4615&tstart=45 )

    By default roles doesn't support remote login to roles, reason behind
    this is PAM (pluggable authentication .module) module pam_roles will not
    allow remote user's to assume roles.
    For more details:
    http://docs.sun.com/app/docs/doc/819...roles-5?a=view

    pam_roles man page says that this feature is possible by setting
    PAM_AUSER, but only sshd-hostbased service can set this PAM_AUSER.
    According to
    pam_roles(5) man page, after making following changes to /etc/pam.conf,
    remote role assumption should work.

    "sshd-hostbased account requisite pam_roles.so.1 allow_remote"

    1) My doubt is, In pam_roles man page it is not clearly mentioned, will
    it work with Open-ssh or SSH?

    2) So can you please tell me, is this sshd-hostbased service will set
    PAM_AUSER or not?

    If the mail is not clear, please do reply without any hesitation.

    Thanks in advance,
    Regards,
    Rajas

    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  2. Re: Does OpenSSH support setting PAM_AUSER

    Godugu, Rajeshwar (NSN - IN/Bangalore) wrote:
    [...]
    > "sshd-hostbased account requisite pam_roles.so.1 allow_remote"
    >
    > 1) My doubt is, In pam_roles man page it is not clearly mentioned, will
    > it work with Open-ssh or SSH?
    >
    > 2) So can you please tell me, is this sshd-hostbased service will set
    > PAM_AUSER or not?


    PAM_AUSER is not part of the PAM spec (either XSSO[1] or the original
    Sun RFC[2]) and OpenSSH does not currently use it.

    The link you posted suggests that Sun have modified the sshd that ships
    with Solaris to use it for some auth methods, but you would need to ask
    Sun about that.

    [1] http://www.opengroup.org/onlinepubs/008329799/
    [2] http://www.opengroup.org/tech/rfc/mi...fc/rfc86.0.txt

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


+ Reply to Thread