AW: Pam configuration files

Debian-User office at thinktank.at
Thu Apr 8 20:12:14 UTC 2004


Hi guys,

concerning the "Pam configuration files" issue, I would like to ask if
there is a way to tell ssh (via different config-files) to use different
authentication methods (ie to use a special pam_service-name)

My idea is as follows:

having one box with two instances of ssh running. One instance is only
accessible from outside the firewall (with strong authentication), the
other instance is only accessible from inside the firewall (and hence
has significantly different - ie "loser" - authentication requirements).

Would that be possible without having to recompile the ssh-binary? I
want to avoid that for several reasons! (It should be possible to use
two different config-files and hence two different ports - and only one
port is allowed for external access on the firewall - with only one
binary; but is it also possible to specify the pam_service-name to use
in the ssh-config-file?)

TIA for any help you can offer.
Sascha

> -----Ursprüngliche Nachricht-----
> Von: pam-list-admin at redhat.com 
> [mailto:pam-list-admin at redhat.com] Im Auftrag von Joe Lewis
> Gesendet: Mittwoch, 25. Februar 2004 20:24
> An: pam-list at redhat.com
> Betreff: Re: Pam configuration files
> 
> 
> Yes, the application calls it with the service name, and that is the 
> name of the configuration file.  If it uses the old method 
> where there 
> is one pam.conf file, each line is prefixed with that service 
> name for 
> specifying configurations.
> 
> Joe
> 
> Boris Breslav wrote:
> 
> > Joe, Heiko, thanks a lot for your quick reply.
> > But even if the application itself is responsible for the 
> service name, can
> > I be sure that the following is always true?:
> > PAM_SERVICE = name of the file in the /etc/pam.d directory
> > 
> > Boris
> > 
> > ----- Original Message ----- 
> > From: "Heiko Hund" <heiko at ist.eigentlich.net>
> > To: <pam-list at redhat.com>
> > Sent: Wednesday, February 25, 2004 8.48 PM
> > Subject: Re: Pam configuration files
> > 
> > 
> > 
> >>Hey Boris,
> >>
> >>
> >>>Now it is even more interesting. I wrote a sample module 
> and I printed
> > 
> > out
> > 
> >>>the PAM_SERVICE item for FTP connection and it was "ftp" 
> and not "ftpd"
> >>>So what is it a typo in the Administration Guide?
> >>
> >>not at all. Every PAM enabled application chooses its own 
> service name.
> >>Therefore it could be anything. It is only a convention to 
> choose the
> >>name of the app. Obviously your ftpd chose `ftp' as a 
> service name. That
> >>also is why the file in /etc/pam.d is named `ftp' and not 
> `ftpd'. If you
> >>dislike that, you may recompile the ftpd with a service 
> name you like.
> >>
> >>Greetings
> >>Heiko
> >>-- 
> >>-------------------------------------------------------------------
> >>  of course they say every atom of our body was once part of a star
> >>  maybe I'm not leaving, maybe I'm going home
> >>------------------------------------------------------ [gattaca] --
> >>
> >>
> >>_______________________________________________
> >>Pam-list mailing list
> >>Pam-list at redhat.com
> >>https://www.redhat.com/mailman/listinfo/pam-list
> > 
> > 
> > 
> > _______________________________________________
> > Pam-list mailing list
> > Pam-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/pam-list
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
> 





More information about the Pam-list mailing list