Bug 1060237 - Allow to configure PAM service name in ssh configurarion [NEEDINFO]
Summary: Allow to configure PAM service name in ssh configurarion
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssh
Version: 7.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-31 14:30 UTC by Dmitri Pal
Modified: 2018-12-07 13:04 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-07 13:04:47 UTC
Target Upstream Version:
Embargoed:
jjelen: needinfo? (dpal)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenSSH Project 2102 0 None None None 2019-07-03 08:57:55 UTC

Description Dmitri Pal 2014-01-31 14:30:26 UTC
Description of problem:

Currently the PAM service name is the name of the binary. This means that the customer who wants to run SSH on two different ports needs to rename the binary. This is not ideal. The better option would be to allow it to be configurable in the ssh configuration.

The use case is the cluster that has user network and admin network. They are accessible via SSH but on different interfaces and on different ports. There is a single SSSD on the system that needs to differentiate the two for the purpose of the access control to prevent the ordinary users to connect on the admin port.  


The solution is to add a way to define what name to use in the PAM as a service via SSH config.

Comment 1 Petr Lautrbach 2014-02-24 09:52:11 UTC
Unfortunately, it's too late for RFE now, I'm moving it to 7.1

Comment 3 Petr Lautrbach 2014-06-09 20:10:45 UTC
There's a patch for support PAMServiceName in the referenced upstream bugzilla - https://bugzilla.mindrot.org/show_bug.cgi?id=2102

I've prepared a testing build with this patch applied and run a build based on Rawhide source. You can try it using my copr repository openssh_testing https://copr.fedoraproject.org/coprs/plautrba/openssh_testing/

Comment 7 Jakub Jelen 2016-08-15 13:04:36 UTC
No update, no RHEL7.3. We moved in the way to the other way of exposing authentication information to PAM (see the bug #1312304, if it can help you also in this case. For now, moving to 7.4

Comment 8 Kurt H Maier 2017-08-01 20:11:20 UTC
Bug #1312304 is not publicly visible.  What is the implemented alternative to the PAMServiceName patches?

Comment 9 Jakub Jelen 2017-08-02 07:32:23 UTC
(In reply to Kurt H Maier from comment #8)
> Bug #1312304 is not publicly visible.  What is the implemented alternative
> to the PAMServiceName patches?

Basically initial version of [1].

[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2408


Note You need to log in before you can comment on or make changes to this bug.