[Bug 117] OpenSSH second-guesses PAM
Damien Miller
djm at mindrot.org
Sat Apr 27 12:41:21 EST 2002
On Fri, 26 Apr 2002, Frank Cusack wrote:
> On Wed, Apr 17, 2002 at 11:39:47PM +1000, bugzilla-daemon at mindrot.org wrote:
> > http://bugzilla.mindrot.org/show_bug.cgi?id=117
> >
> > ------- Additional Comments From djm at mindrot.org 2002-04-17 23:39 -------
> > > You are eliminating the possibility that sshd might want to authenticate
> > > someone without a local account (requesting a non-login service?).
> >
> > PAM shouldn't be abused to to be a getpw* replacement. Quoth
> > http://www.opengroup.org/tech/rfc/mirror-rfc/rfc86.0.txt:
> >
> > ] (c) We do not address the source of information obtained from the
> > ] "`getXbyY()'" family of calls (e.g., `getpwnam()').
>
> I don't understand how this supports the argument for 'NOUSER'. Passing
> on the real username is not [ab]using PAM for getpw* functionality.
I was referring to your comment:
> You are eliminating the possibility that sshd might want to authenticate
> someone without a local account (requesting a non-login service?).
-d
More information about the openssh-unix-dev
mailing list