Description of problem: Currently the PAM service name is the name of the binary. This means that the customer who wants to run SSH on two different ports needs to rename the binary. This is not ideal. The better option would be to allow it to be configurable in the ssh configuration. The use case is the cluster that has user network and admin network. They are accessible via SSH but on different interfaces and on different ports. There is a single SSSD on the system that needs to differentiate the two for the purpose of the access control to prevent the ordinary users to connect on the admin port. The solution is to add a way to define what name to use in the PAM as a service via SSH config.
Unfortunately, it's too late for RFE now, I'm moving it to 7.1
There's a patch for support PAMServiceName in the referenced upstream bugzilla - https://bugzilla.mindrot.org/show_bug.cgi?id=2102 I've prepared a testing build with this patch applied and run a build based on Rawhide source. You can try it using my copr repository openssh_testing https://copr.fedoraproject.org/coprs/plautrba/openssh_testing/
No update, no RHEL7.3. We moved in the way to the other way of exposing authentication information to PAM (see the bug #1312304, if it can help you also in this case. For now, moving to 7.4
Bug #1312304 is not publicly visible. What is the implemented alternative to the PAMServiceName patches?
(In reply to Kurt H Maier from comment #8) > Bug #1312304 is not publicly visible. What is the implemented alternative > to the PAMServiceName patches? Basically initial version of [1]. [1] https://bugzilla.mindrot.org/show_bug.cgi?id=2408