sshd & pam & getpwnam()
nick at rogness.net
Thu Jun 24 00:07:02 PDT 2004
On Sun, 20 Jun 2004, Alexey Zagarin wrote:
> Does anybody know, why sshd call getpwnam() even if user is
> authenticating via PAM? This broke remote authentication (RADIUS,
> TACACS+) when user doesn't exist in local password database.
This is typical behavior for most account based PAM applications
sshd in particular expects the user to have an system account,
even if the user has already been auth'd via PAM. It makes sense
from sshd's standpoint because it must read information from the
users home directory (which it gets from getpwnam).
On another note, I've yet to understand why PAM aware applications
don't do a pam_get_user (or equivalent) after PAM authentication
has been accepted as the PAM module. This would allow the PAM
module to say "user 'bob' you are authenticated, but your REAL
username should be 'id02345'". Sort of a username substitution.
I've had to patch the stock FTP server and c-client to do
this exact thing on our servers at work.
Nick Rogness <nick at rogness.net>
How many people here have telekenetic powers? Raise my hand.
More information about the freebsd-hackers