[Bug 1215] sshd requires entry from getpwnam for PAM accounts

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Jun 2 11:23:37 EST 2007


http://bugzilla.mindrot.org/show_bug.cgi?id=1215


Jesse Zbikowski <embeddedlinuxguy at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
Attachment #1293 is|0                           |1
           obsolete|                            |




--- Comment #11 from Jesse Zbikowski <embeddedlinuxguy at gmail.com>  2007-06-02 11:23:30 ---
Created an attachment (id=1300)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1300)
Authorize with PAM virtual username, not local username

Thanks James!  This indeed gets around the "mapping-to-root" problem
without my hack in Comment 9.

I still believe the authorization request needs send the virtual (PAM)
username, NOT the local username.  Otherwise I see no way to give
different privileges to different PAM users, or to allow for a TACACS+
server which manages multiple independent systems.

My attached patch temporarily restores the virtual username during
authorization.  The idea is that the PAM module should map to
e.g. "nobody" during authentication, then map to an appropriate user
(perhaps based on TACACS+ AV pairs) during authorization: "op",
"admin", "guest", etc.  This patch is vs. 4.3p2 with Darren's and
James' patches applied.  It saves the usernames during
sshpam_handle_user_change() and swaps them during do_pam_account().

Please let me know if I am on the right track with this.  I think a
much better design would be not to do any username mapping or
valid-user checking until *after* the accounting, but I haven't been
able to make that work yet.


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list