More with PAM

Help
2010-09-16
2013-04-16
  • Doug Eckert
    Doug Eckert
    2010-09-16

    I have "UsePAM yes" set in /etc/ssh/sshd_config and the following stack in /etc/pam.conf

    # Entries for OpenSSH (sshd)
    sshd    auth    requisite       /usr/lib/security/64/pam_permission \
                                    file=/etc/security/pam_permission.scponly \
                                    found=prohibit
    sshd    auth    required        /usr/lib/security/pam_aix
    sshd    account required        /usr/lib/security/pam_aix
    sshd    password  required      /usr/lib/security/pam_aix
    sshd    session required        /usr/lib/security/pam_aix

    The file "/etc/security/pam_permission.scponly" contains a single line with a username.  That user is still able to log in, even with the "found=prohibit" line above.  Is the current version still compiled with PAM support???

    OpenSSH 5.4.0.6101
    OpenSSL 0.9.8.1300

     
  • Doug Eckert
    Doug Eckert
    2010-09-16

    Another RTFM moment…

    chsec -f /etc/security/login.cfg -s usw -a auth_type=PAM_AUTH

     
  • Doug Eckert
    Doug Eckert
    2010-09-16

    Yep - another OpenSSH/PAM question

    How is pam_start() being called?  Is "sshd" hard-coded in as the service name?  I'm guessing it is as I'm trying to run sshd on an alternate port so that I can have PAM handle things separately depending on which port users are coming in on.

    I've created a symlink, and even just copied the sshd binary.  Either way, it looks like the pam_start() call is using "sshd" as the service name.  Is there any way this can be modified to send the binary/executable name as the service instead of hard-coded "sshd"?