[openssh-commits] [openssh] 01/12: properly bail out when PAM changes username

Thu Apr 2 20:26:16 AEDT 2026

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch V_10_3
in repository openssh.

commit 5d72f1865b95ebfd99ea7baa8f6f2a4b721d151e
Author: Damien Miller <djm at mindrot.org>
AuthorDate: Thu Apr 2 18:32:00 2026 +1100

    properly bail out when PAM changes username
    
    OpenSSH doesn't support PAM changing its conception of the
    username via a module calling pam_set_item(h, PAM_USER, ...).
    We were supposed to bail out here, but I messed up while "fixing"
    this last time and dropped a return statement.
    
    Reported by Mike Damm
---
 auth-pam.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/auth-pam.c b/auth-pam.c
index d2b3c3483..29607e041 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -474,6 +474,7 @@ check_pam_user(Authctxt *authctxt)
 	if (strcmp(sshpam_initial_user, pam_user) != 0) {
 		error_f("PAM user \"%s\" does not match previous \"%s\"",
 		      pam_user, sshpam_initial_user);
+		return PAM_USER_UNKNOWN;
 	}
 	return PAM_SUCCESS;
 }

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
