[Bug 1215] sshd requires entry from getpwnam for PAM accounts

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Aug 22 01:58:36 AEST 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=1215

Brad Huntting <huntting at glarp.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |huntting at glarp.com

--- Comment #21 from Brad Huntting <huntting at glarp.com> ---
In most environments users control their own workstations and servers,
and root on these machines is not to be trusted any more than the users
who own them. And most AAA databases (RADIUS, LDAP, etc) are
administered by someone other than the user/owner of the workstation
using them.

In some cases, the AAA database may be administered by a service
provider, with users as customers. In such an environment it's not
unreasonable to expect that customer data (name, phone number, homedir,
etc) should not be shared with other customers.

In other cases, the location of the users homedir may not even be
knowable before the user is authentication.

In these, and many other situations, it is simply presumptuous to
suppose that nss passwd information for every user would be available
to every other user everywhere.

I do agree that PAM changing the username during authentication is a
bad idea, I think it would be better to pass user info to an
nss_radius.so module via some runtime (/var/run/radius_users.db)
database.

However, asking a user to authenticate before giving out their personal
information is not unreasonable requirement. This needs to be a
configurable option.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
You are watching the reporter of the bug.


More information about the openssh-bugs mailing list