PAM and getpwnam [ struct passwd *getpwnam(const char * name) ]

Darren Moffat Darren.Moffat at eng.sun.com
Thu Aug 16 06:57:13 EST 2001


>I use a PAM-module (pam_ncp_auth from ncpfs) for authentication against a
>netware server.
>
>pam_ncp_auth can create local UNIX user accounts from information in NDS,
>and it works perfect with login, gdm and telnet. But not with openssh (2.5
>and 2.9).

This module is broken.  This is completely the wrong thing to do, a PAM
module should not be adding entries into /etc/passwd.

What you should have is a PAM module for the authentication to NDS and
an NSS (nsswitch.conf) module (nss_nds.so) for the lookups so that getpwnam()
will actually get the data from NDS.

I believe this is how Novell's NDS for Solaris actually works.

>It works perfect if the user already is in /etc/passwd, but the first time
>he logs on he doesn't exist there. In that case openssh call the function
>getpwnam to see if the user exist at all, and if he doesn't the sshd
>refuse the user to login.

Correct behaviour.

I don't think OpenSSH should be patched to fix a very broken solution
like you have.

--
Darren J Moffat




More information about the openssh-unix-dev mailing list