New feature: Set PAM service name in sshd_config file

[CorvusCorax]

This allows different pam auth configurations based on
used AuthenticationMethod and Match directives.

See https://pastebin.com/SuCG6dft for the problem this solves.
There are 2 new config directives:

From Manpage:

     **PAMServiceName**
             Specifies the service identifier to be used for pluggable authentication modules
             (PAM).  If set to none, the sshd executable name (usually sshd) is used.  If set
             to name, authentication options can be configured in a matching file in
             /etc/pam.d/name.  The default is none.

     **PasswordPAMServiceName**
             Specifies the service identifier to be used for pluggable authentication modules
             (PAM) for PasswordAuthentication only. This is only used for the authentication
             (auth) PAM aspect. For account and session management, as well as
             ChallengeResponseAuthentication, the service name set in PAMServiceName is
             applied. This can be helpful to implement 2 factor authentication.  Example:

                   AuthenticationMethods "publickey,keyboard-interactive
                   password,keyboard-interactive"
                   PAMServiceName sshd_2factor
                   PasswordPAMServiceName sshd_password

             In this example, the challenge response authentication would ask the user for the
             second factor, for example an OATH token, while the first factor could be either
             provided by ssh-key or password. This requires two different PAM configurations to
             be used, in this example /etc/pam.d/sshd_2factor and /etc/pam.d/sshd_password. If
             set to none, the value of PAMServiceName is used.  The default is none.

Both new config options are allowed within Match directives, which allows very sophisticated setup, where different hosts can undergo completely different authentication paradigms.
If neither of the new options is set (or set to none) the behavior is as it used to, setting the pam service either to the program name or to the fixed override given with
./configure --with-pam-service=name

Implementation:
Instead of hardcoding the service name to SSHD_PAM_SERVICE, the pam handle is now initiated with a dynamic service name. Since this can change unexpectedly when used in Match directives, pam is now reinitialized every time pam_init() is called, even if the user is identical.

sshpam_auth_passwd() which implements PAM based PasswordAuthentication now uses its own separate PAM handle used for authentication only (the regular one is used for account and session management)

I'm looking forward to your feedback.

[TommiTallgren]

I hope that Softagram visual analysis of this PR could help the reviewers. This was made originally as a demo to discuss with SSH contributors. If this is liked please contact to have this activated to the repo.

Softagram Impact Report

⭐ Change Overview

⭐ Details of Dependency Changes

(Open in Softagram Desktop for full details, need to login to opensource.softagram.com first)

How to read this: help
Give feedback of this report to support@softagram.com