Date: Thu, 24 Jun 2004 01:06:45 -0600 (MDT) From: Nick Rogness <nick@rogness.net> To: Alexey Zagarin <zagarin@emax.ru> Cc: freebsd-hackers@freebsd.org Subject: Re: sshd & pam & getpwnam() Message-ID: <20040624005340.R5174@skywalker.rogness.net> In-Reply-To: <40D56C73.8090806@emax.ru> References: <40D56C73.8090806@emax.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 20 Jun 2004, Alexey Zagarin wrote: > Hello! > > Does anybody know, why sshd call getpwnam() even if user is > authenticating via PAM? This broke remote authentication (RADIUS, > TACACS+) when user doesn't exist in local password database. This is typical behavior for most account based PAM applications I've seen. sshd in particular expects the user to have an system account, even if the user has already been auth'd via PAM. It makes sense from sshd's standpoint because it must read information from the users home directory (which it gets from getpwnam). On another note, I've yet to understand why PAM aware applications don't do a pam_get_user (or equivalent) after PAM authentication has been accepted as the PAM module. This would allow the PAM module to say "user 'bob' you are authenticated, but your REAL username should be 'id02345'". Sort of a username substitution. I've had to patch the stock FTP server and c-client to do this exact thing on our servers at work. Nick Rogness <nick@rogness.net> - How many people here have telekenetic powers? Raise my hand. -Emo Philips
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040624005340.R5174>