problem with PAM coding, openssh-2.5.2p2
phil at bolthole.com
phil at bolthole.com
Tue May 1 18:50:24 EST 2001
Howdy coders,
in openssh-2.5.2p2,
auth1.c, do_authentication()
you folks do a call to getpwnam(user)
If this fails, you NULL out 'pw'
Unfortunately, this stops start_pam() from being called at all.
I'm not a PAM API expert, but I was under the impression that there are pam
API calls you should be making for account verification, in PARALLEL to
getpwnam(), rather than being gated by getpwnam()
Or instead, maybe you should have start_pam fill out a limited set of
(struct passwd) info, if getpwnam failed
[and then call allowed_user() AFTER this]
I'm trying to use a PAM module to integrate with OpenLDAP.
I want to have user account info present on only the LDAP server, not
in the regular password info. And ONLY for sshd.
So a plain call to getpwnam will fail.
Yes, I realize that this will break other UNIX apps expecting getpwnam to
work. That's MY problem :-)
Your problem is that I think you guys are going against the principles of
how PAM was designed: as a replacement for stuff like getpwnam(), and
hand-checking of shadow expiration.
More information about the openssh-unix-dev
mailing list