I set up multiple open ssh daemons on different ports and would like to have them use different PAM configuration profiles. Is that possible? As far as I understand PAM determines the configuration file name from within the daemon binary – so I'd need to recompile my sshd just to have it use an other PAM configuration file?!
Ssh – Multiple sshd instances using different PAM configurations
configurationpamssh
Related Topic
- Linux – Parallel execution of different commands on multiple hosts
- Ubuntu SSH Login – Permission Denied, Please Try Again
- Linux – How to limit concurrent session on a per user basis for ssh
- Linux – Can you have more than one ~/.ssh/config file
- Understand PAM and NSS in Linux
- CentOS 7 SSH and 2FA (ESET Secure Authentication)
Best Answer
Unfortunately the service name chosen by the program is hard coded. You will most likely have to modify the sshd source and re-compile.
The reason they do this instead of just passing ARGV[0] as the service name is for security reasons. If the pam.d/file was chosen based off ARGV[0] (the program name) then at attacker could possibly symlink/hardlink/cp that program to a name of her choosing. One that had the least restrictions within it's associated pam.d/file.
Search the source for a string such as:
===================
UPDATE:
auth-pam.h shows the servicename set to:
This means that you CAN just change the progname and it will look for a pam file of the new name. Not a good security practice and I am kinda surprised by this. Maybe someone knows something I don't..since the OpenBSD guys are a much smarter bunch than myself. :p
UPDATE 2:
Verified that PAM servicename is set to the basename by doing the following from the console:
cp sshd to sshd2:
stop the current sshd and start the new one:
Start strace on the new sshd and attempt an ssh login from another comp.
Find which pam file:
sshd2 (basename)