From owner-freebsd-hackers@FreeBSD.ORG Thu Jun 24 07:07:02 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 68C4A16A4CE for ; Thu, 24 Jun 2004 07:07:02 +0000 (GMT) Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2D2343D31 for ; Thu, 24 Jun 2004 07:07:01 +0000 (GMT) (envelope-from nick@rogness.net) Received: from skywalker.rogness.net (localhost [127.0.0.1]) i5O76kLb006508; Thu, 24 Jun 2004 01:06:46 -0600 (MDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost)i5O76jBp006505; Thu, 24 Jun 2004 01:06:46 -0600 (MDT) (envelope-from nick@rogness.net) X-Authentication-Warning: skywalker.rogness.net: nick owned process doing -bs Date: Thu, 24 Jun 2004 01:06:45 -0600 (MDT) From: Nick Rogness To: Alexey Zagarin In-Reply-To: <40D56C73.8090806@emax.ru> Message-ID: <20040624005340.R5174@skywalker.rogness.net> References: <40D56C73.8090806@emax.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-hackers@freebsd.org Subject: Re: sshd & pam & getpwnam() X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 07:07:02 -0000 On Sun, 20 Jun 2004, Alexey Zagarin wrote: > Hello! > > Does anybody know, why sshd call getpwnam() even if user is > authenticating via PAM? This broke remote authentication (RADIUS, > TACACS+) when user doesn't exist in local password database. This is typical behavior for most account based PAM applications I've seen. sshd in particular expects the user to have an system account, even if the user has already been auth'd via PAM. It makes sense from sshd's standpoint because it must read information from the users home directory (which it gets from getpwnam). On another note, I've yet to understand why PAM aware applications don't do a pam_get_user (or equivalent) after PAM authentication has been accepted as the PAM module. This would allow the PAM module to say "user 'bob' you are authenticated, but your REAL username should be 'id02345'". Sort of a username substitution. I've had to patch the stock FTP server and c-client to do this exact thing on our servers at work. Nick Rogness - How many people here have telekenetic powers? Raise my hand. -Emo Philips