1

I have an SFTP server on CentOS 7. On this server, I run 2 OpenSSH processes with different configuration.

  • one is standard SSH on port 22 for administration purpose
  • the other is only SFTP on port 10022 (config has the line ForceCommand internal-sftp)

Now, for additional security, I want to split the authentication system as well. SSH on port 22 should stay the same and authenticate local system users, while SFTP on port 10022 should use a remote freeradius server.

How can I configure the OpenSSH process running on port 10022 to use another PAM configuration?

Dunatotatos
  • 131

1 Answers1

1

OpenSSH does not currently support changing the PAM service name. It is defined at compilation time (as the SSHD_PAM_SERVICE macro), so all instances of the same daemon will use the same PAM configuration unless recompiled with a different name.

Note also that it is not enough for OpenSSH to just authenticate users via PAM. The sshd requires that the authenticated username must map to some Unix UID via getpwnam(), which is outside the scope of PAM (it is done via nsswitch modules) – in other words, your SFTP users must actually be system users for OpenSSH to accept them.

So you will need to set up e.g. LDAP user directory to make your users exist within the OS. And at that point, you won't need two instances anymore – you will be able to just configure PAM to jump to different modules based on group membership, e.g. local passwords for members of staff versus RADIUS auth for everyone else.

If that's not an option, you might want to use an alternative SFTP server, e.g. ProFTPd actually has SFTP support.

grawity
  • 501,077