Subject: Re: Using __progname for PAM service names in pam_start()
To: None <>
From: Christos Zoulas <>
List: tech-userlevel
Date: 06/13/2007 17:00:35
In article <>,
Emmanuel Dreyfus  <> wrote:
>Currently, most of our PAM aware programs call pam_start with a hardcoded
>PAM service string. Here is an example:
>	pam_error = pam_start ("ppp", user, &PAM_conversation, &pamh);
>The notable exception is sshd, which uses __progname
># define SSHD_PAM_SERVICE            __progname
>	pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
>The sshd approach allows more flexibility. For instance, I can create
>a second sshd running on another port:
>ln -s /usr/sbin/sshd /usr/local/sbin/sshd-local
>sshd-local will use /etc/pam.d/sshd-local while sshd uses /etc/pam.d/sshd.
>Such a setup is not possible with our other PAM aware programs.
>Anyone sees an objection to the system-wide replacement of the pam_start
>first argument (PAM service name) by __progname? I see only benefits here...
>Here are the candidates for the change:

It should be getprogname() and all such programs should call
setprogname() before using it. Unfortunately there is no way to
tell if a configuration file exists for such service, so that you
can fail back to the "known" working config file, but since our
pam fails closed this is not an issue.