Multiple sshd instances using different PAM configurations

Question

I set up multiple open ssh daemons on different ports and would like to have them use different PAM configuration profiles. Is that possible? As far as I understand PAM determines the configuration file name from within the daemon binary - so I'd need to recompile my sshd just to have it use an other PAM configuration file?!

Answer 1

Unfortunately the service name chosen by the program is hard coded. You will most likely have to modify the sshd source and re-compile.

The reason they do this instead of just passing ARGV[0] as the service name is for security reasons. If the pam.d/file was chosen based off ARGV[0] (the program name) then at attacker could possibly symlink/hardlink/cp that program to a name of her choosing. One that had the least restrictions within it's associated pam.d/file.

Search the source for a string such as:

int pam_start(

===================

UPDATE:

auth-pam.h shows the servicename set to:

__progname

This means that you CAN just change the progname and it will look for a pam file of the new name. Not a good security practice and I am kinda surprised by this. Maybe someone knows something I don't..since the OpenBSD guys are a much smarter bunch than myself. :p

UPDATE 2:

Verified that PAM servicename is set to the basename by doing the following from the console:

cp sshd to sshd2:

[root@cent ~]# cp /usr/sbin/sshd /usr/sbin/sshd2

stop the current sshd and start the new one:

[root@cent ~]# /etc/init.d/sshd stop
[root@cent ~]# /usr/sbin/sshd2

Start strace on the new sshd and attempt an ssh login from another comp.

[root@cent ~]# strace -fp 5835 -e trace=open -o ssh_results&

Find which pam file:

[root@cent ~]# grep -i pam.d ssh_results 
6116  open("/etc/pam.d/sshd2", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)

sshd2 (basename)