why does PAM authentication (seem to) work without PAM service file ?

Skip to first unread message

Thomas Fazekas

Apr 15, 2021, 8:54:57 AM4/15/21

the other day I wanted to setup an sftp service that I want to keep it separate from the standard ssh service (with in my case is the one provided by Ubuntu 20.04)
Accordingly I've recompiled the OpenSSH sources with : "./configure --prefix=/opt/openssh-8.5p1 --with-pam --with-pam-service=sshcd"

"sshcd" - in my case representing SSH Custom Daemon.

Now, the authentication is suppose to happen via LDAP so on purpose I did NOT provide any sshcd.conf file in /etc/pam.d/ folder, expecting that, at least in the beginning, I will not be able to log in to my shiny new ssh daemon.

To my surprise username/password authentication works, and what's even more puzzling is that if I look in the log I can even see using pam modules :
[Apr 15 14:50:14][vm-1][authpriv][sshcd[2191]:][info] pam_unix(sshcd:session): session opened for user test1 by (uid=0)
there are more pam related logs so clearly my service is using some pam modules without me providing any configuration.

Again, there is no /etc/pam.d/sshcd.conf
Is there an explanation for this ?

Right now I'm worried about what else works without me wanting it to work ;)

Thomas Fazekas

Apr 15, 2021, 10:35:14 AM4/15/21
After digging some more in the PAM documentation I believe I've found the answer to my question : http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html
Excerpt : "The service-name, other, is reserved for giving default rules."

/etc/pam.d/other - specify the PAM fallback behaviour. This file is used for any unspecified service
Reply all
Reply to author
0 new messages