[Bug 117] OpenSSH second-guesses PAM

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Feb 15 10:47:25 EST 2002


------- Additional Comments From Darren.Moffat at Sun.COM  2002-02-15 10:47 -------
There is nothing wrong with calling pam_set_item to set an item to NULL and in
fact there are modules on Solaris that do exactly that for PAM_AUTHTOK.

PAM on Solaris would not have syslogged the pam_set_item message that is 
described in bug 114

There is nothing wrong in having a syslog message for pam_set_item being
called with the item value as NULL, however since it is perfectly valid to do
so this should be a debug only syslog message and either the case being
reported had pam framework debugging enabled or there is a bug in the Linux PAM
framework library.

It is perfectly valid to pass NULL as the user into pam_start; pam_start
ultimately calls pam_set_item to setup the PAM_USER.  If the application does
that then it should use pam_get_item(pamh, PAM_USER, &user) to find out which
user was authenticated if pam_authenticate returned PAM_SUCCESS.

I would rather that OpenSSH passed NULL to pam_start than passing NOUSER.  There
could potentially be modules on the stack that will prompt for a user name
if PAM_USER is empty - this is perfectly valid PAM according to the XSSO spec
(which Linux PAM does not comply with - it has extended and embraced in an
incompatible way in some areas).
Passing the string "NOUSER" takes a way a valid username out of the namespace,
what if there really was a user called nouser (The user account for some 
subsystem called 'no' for example or someone called Neil Ouser) the
pam_authenticate call might actually succeed - this probably isn't what you were 
expecting to happen in this case.

PAM_USER == NULL means I the application don't know the user name, anything else
is taken to mean you the application are trying to authenticate the named user.

I believe the correct fix is for OpenSSH to pass NULL to pam_start when it
doesn't know the username and pass the username when it does.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-unix-dev mailing list